Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?
From: Marcus J. Ranum (mjr_at_ranum.com)
To: "Paul D. Robertson" <email@example.com>, firstname.lastname@example.org Date: Tue, 31 May 2005 00:41:19 -0400
Paul D. Robertson wrote:
>AV isn't going to be effective against most custom Trojan Horses.
We've always known that this was the end-game of malware. And I
know you've been part of the choir on this particular psalm for a
very long time. :)
The late 1990's and early 2000's were characterized by a foolish
exuberance of connectivity. It's going to take some time to roll
that back, and there are going to be a lot of casualties in the
process. <Shrug> "Think of it as evolution in action" as
Niven and Pournelle would say. Industry has been completely
unwilling to listen to sense, and prefers to alternate between
burying its head in the sand and beating it against the wall.
Neither of those approaches is going to work in the long run
but they feed a lot of drones and make stupid people feel good.
I characterize those 2 approaches as:
-- Use crappy software and try to patch it into a state of
-- Try to enumerate (and block) all the bad stuff, rather than
enumerating (and permitting) only the good stuff
All of what we today call "vulnerability management" patching,
auditing, etc, are examples of the first. Antivirus, DPI firewalls,
IPS, and poorly configured firewalls are examples of the latter.
99% of the firewalls out there are already _way_ too
permissive; they allow arbitrary traffic outbound on many
services, because their administrators somehow think
that merely controlling port flows is "security" I was swapping
Email with a guy last week who was puzzling over "how do
you do SMB securely through a firewall?" and he seemed
to think I was a nutbar for replying "You can't. Period." As
if simply *wishing* it were securable were enough! The
recent threads about DPI firewalls have been really
depressing to me; I see the signs that a lot of "security
practitioners" have bought into the "patch, then patch
again" and "try to enumerate all the bad stuff" philosophies.
They're very attractive but they're fundamentally never going
If custom trojans become a mass-media security meme,
then look for a handful of venture-funded startups in the
next year, offering bogus products designed to detect
and trap these custom malware agents. Of course they
won't work but they'll make a lot of fools sleep better
and they'll make a lot of canny businessmen rich(er).
firewall-wizards mailing list