Re: [fw-wiz] A fun smackdown...

From: Chuck Swiger (chuck_at_codefab.com)
Date: 05/21/05

  • Next message: Chuck Swiger: "Re: [fw-wiz] A fun smackdown..."
    To: "Marcus J. Ranum" <mjr@ranum.com>
    Date: Sat, 21 May 2005 11:48:37 -0400
    
    

    On May 20, 2005, at 9:57 PM, Marcus J. Ranum wrote:
    > Chuck Swiger wrote:
    >> You are disagreeing with a design principle from the RFC's which
    >> discusses how to create robust software protocols.
    >
    > The RFCs often used to contain the phrase "this RFC does not address
    > security." Is that one of those great design principles the IETF
    > uses
    > to create "robust software protocols"??

    Sometimes, yes. I'd rather see an explicit statement that says, "this
    is not a secure protocol", then use something which pretends to be
    secure, yet is not.

    The older RFCs-- before 2000 or so-- were a lot more concerned with
    defining standards for interoperability than for security. Newer RFC's
    tend to show a lot more concern for security.

    > The RFC process creates interoperable *CRAP*.

    Let's accept this as true for a moment. Can you point to something
    better?

    What about the ISO model, the X.400 & X.500 schemas, and ASN.1?
    How well has BER, SNMP, SSL certs, and all of that done in practice for
    security?

    Or how about the security vendors, who break standards to create
    proprietary, non-interoperable crap? What's the current status of
    VRRP? Is that an open standard, free for all to use, or is it
    encumbered?

    > [ ... ]
    > The RFCs are written by well-intentioned amateurs who never gave
    > a rat's a&& for security, and the resulting Internet reflects it.

    Not always. There are people, even on this list, who could learn
    something from:

    http://www.ietf.org/rfc/rfc2196.txt

        As an aside, building a "home grown" firewall requires a significant
        amount of skill and knowledge of TCP/IP. It should not be trivially
        attempted because a perceived sense of security is worse in the long
        run than knowing that there is no security. As with all security
        measures, it is important to decide on the threat, the value of the
        assets to be protected, and the costs to implement security.

    Give that RFC a fair read, Marcus, and then see whether you still agree
    with your own generalization above.

    -- 
    -Chuck
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Chuck Swiger: "Re: [fw-wiz] A fun smackdown..."

    Relevant Pages

    • Re: Security during the early internet days
      ... Many of the early RFCs have a section entitled "Security ... Considerations." ... Every entity on the network was trusted so no consideration was given to ...
      (comp.security.misc)
    • RE: [fw-wiz] The home user problem returns
      ... I've been watching with a certain morbid fascination as Marcus has ... in computer security that I do). ... -- Educating users has been proven to work at company after company. ... but my take-away from your blog article ...
      (Firewall-Wizards)
    • RE: [fw-wiz] The home user problem returns
      ... >for you, Marcus (epecially since you have, I dunno, six times the years ... >in computer security that I do). ... >100 users click evil email attachments, ... >Help desk calls, viral infections, falling victim to phishing emails, ...
      (Firewall-Wizards)
    • Re: If I am paranoid, should I do it?
      ... Marcus> use it to strenghten security... ... SSH server machine *by separate means*, manage to extract the server key ... recorded sessions from later decryption, ...
      (comp.security.ssh)
    • Re: Windows XP update problems
      ... You can subscribe to a service that will Notify you when critical security ... updates are released, Marcus. ... MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 ... Cumulative Security update for IE7 for WinXP ...
      (microsoft.public.windowsupdate)