Re: [fw-wiz] A fun smackdown...
From: Chuck Swiger (chuck_at_codefab.com)
To: "Marcus J. Ranum" <email@example.com> Date: Sat, 21 May 2005 11:48:37 -0400
On May 20, 2005, at 9:57 PM, Marcus J. Ranum wrote:
> Chuck Swiger wrote:
>> You are disagreeing with a design principle from the RFC's which
>> discusses how to create robust software protocols.
> The RFCs often used to contain the phrase "this RFC does not address
> security." Is that one of those great design principles the IETF
> to create "robust software protocols"??
Sometimes, yes. I'd rather see an explicit statement that says, "this
is not a secure protocol", then use something which pretends to be
secure, yet is not.
The older RFCs-- before 2000 or so-- were a lot more concerned with
defining standards for interoperability than for security. Newer RFC's
tend to show a lot more concern for security.
> The RFC process creates interoperable *CRAP*.
Let's accept this as true for a moment. Can you point to something
What about the ISO model, the X.400 & X.500 schemas, and ASN.1?
How well has BER, SNMP, SSL certs, and all of that done in practice for
Or how about the security vendors, who break standards to create
proprietary, non-interoperable crap? What's the current status of
VRRP? Is that an open standard, free for all to use, or is it
> [ ... ]
> The RFCs are written by well-intentioned amateurs who never gave
> a rat's a&& for security, and the resulting Internet reflects it.
Not always. There are people, even on this list, who could learn
As an aside, building a "home grown" firewall requires a significant
amount of skill and knowledge of TCP/IP. It should not be trivially
attempted because a perceived sense of security is worse in the long
run than knowing that there is no security. As with all security
measures, it is important to decide on the threat, the value of the
assets to be protected, and the costs to implement security.
Give that RFC a fair read, Marcus, and then see whether you still agree
with your own generalization above.
-- -Chuck _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards