Re: [fw-wiz] A fun smackdown...

From: Chuck Swiger (
Date: 05/21/05

  • Next message: "RE: [fw-wiz] A fun smackdown..."
    To: "Marcus J. Ranum" <>
    Date: Sat, 21 May 2005 14:21:39 -0400

    On May 21, 2005, at 12:58 PM, Marcus J. Ranum wrote:
    > Chuck Swiger wrote:
    >> By definition, the IETF is concerned with systems which interoperate
    >> over public networks using network-wide conventions and publicly
    >> documented standards. What people do with private machines or
    >> private networks is up to them, at least so long as they *don't*
    >> connect those machines to the Internet.
    > You're completely ignoring the fundamental dilemma that I am trying
    > to get you to confront. My position in a nutshell:
    > - "Standards that don't take security into account are not
    > internet-worthy"
    > and you're asserting
    > - "If you don't follow standards you break 'legitimate' traffic"
    > The problem is that, since the standards don't take security into
    > account, the traffic is not 'legitimate' - it's 'dangerous' and a
    > security device can and SHOULD interfere with it.

    You've asserted that all standards are useless. You've asserted that
    standards which do not take security into account are not
    internet-worthy. You seem to believe that no Internet standard is
    legitimate and all traffic must be considered dangerous.

    Your position is comprehensible but so extreme as to not be especially
    useful. By analogy:

    There is a non-skid surface on the floor of my tub, but I could still
    break my neck if I slipped, I suppose. Should I worry about this
    horrible possibility excessively? So much that I forget to lock my
    front door? It's useful to worry about stuff which is likely to
    happen, is likely to matter, and is something you can do something
    useful about, without spending so much effort that the net impact
    outweighs the loss of productive work.

    > Maybe the first time someone invents a PMTUD denial of
    > service attack you'll "get it."

    People have already played lots of games using ICMP traffic.
    Rate-limiting ICMP responses and preventing replies to network
    broadcast addr's to prevent amplification/DoS works pretty well for

    If I try to talk to using DF, I expect that to work.
      I don't agree that a firewall should block ICMP unreachable messages
    generated for a connection which would normally be permitted by the
    security policy. Rate-limit, sure. But not blackhole...

    firewall-wizards mailing list

  • Next message: "RE: [fw-wiz] A fun smackdown..."

    Relevant Pages

    • Re: The New ISO Hacking Standard
      ... will you need to pay to get copies of it like you do for other ISO ... talks about the Open Source Security Testing Methodology Manual. ... So why is the International Standards ... Italy have had their eye on the OSSTMM for years. ...
    • RE: OSSTMM how good is it?
      ... I believe the OSSTMM is a good framework, in an industry with few public ... it is probably one of the few standards the customer can get for ... It is good because it challenges the perception that many IT Security ... Download FREE whitepaper on how a managed service ...
    • Re: [fw-wiz] iso 17799
      ... I think if we don't share now the marketing droids will win ... > have to battle the standards where they don't make sense (remember ... Though it hasn't been updated in sometime, I bet the firewalls-faq is ... There are tons of books on firewalling and basic security techniques, ...
    • Re: [Full-disclosure] Compliance Is Wasted Money, Study Finds
      ... Compliance Is Wasted Money, ... How do I know that PCI Standards writers are getting a nice commission off me installing the anti-virus? ... Lastly, that is where you are wrong, there is no "base starting point" companies don't give a shit about proper security measures, they get PCI-certified and all security ends there. ... The problem is not weather they are educated against other standards or policies or not, the problem is that without this compliance you can't work with CC!!! ...
    • Re: Standards for penetration testing
      ... an organisation's information security maangeemnt system and I think is well ... Subject: Standards for penetration testing ... Therefor I'm looking for widely used standards in this area. ... > pen testing experience in our state of the art hacking lab. ...