Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?

From: Marcus J. Ranum (
Date: 05/31/05

  • Next message: Fritz Ames: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
    To: "Paul D. Robertson" <>,
    Date: Tue, 31 May 2005 00:41:19 -0400

    Paul D. Robertson wrote:
    >AV isn't going to be effective against most custom Trojan Horses.

    We've always known that this was the end-game of malware. And I
    know you've been part of the choir on this particular psalm for a
    very long time. :)

    The late 1990's and early 2000's were characterized by a foolish
    exuberance of connectivity. It's going to take some time to roll
    that back, and there are going to be a lot of casualties in the
    process. <Shrug> "Think of it as evolution in action" as
    Niven and Pournelle would say. Industry has been completely
    unwilling to listen to sense, and prefers to alternate between
    burying its head in the sand and beating it against the wall.
    Neither of those approaches is going to work in the long run
    but they feed a lot of drones and make stupid people feel good.
    I characterize those 2 approaches as:
    -- Use crappy software and try to patch it into a state of
    -- Try to enumerate (and block) all the bad stuff, rather than
            enumerating (and permitting) only the good stuff
    All of what we today call "vulnerability management" patching,
    auditing, etc, are examples of the first. Antivirus, DPI firewalls,
    IPS, and poorly configured firewalls are examples of the latter.

    99% of the firewalls out there are already _way_ too
    permissive; they allow arbitrary traffic outbound on many
    services, because their administrators somehow think
    that merely controlling port flows is "security" I was swapping
    Email with a guy last week who was puzzling over "how do
    you do SMB securely through a firewall?" and he seemed
    to think I was a nutbar for replying "You can't. Period." As
    if simply *wishing* it were securable were enough! The
    recent threads about DPI firewalls have been really
    depressing to me; I see the signs that a lot of "security
    practitioners" have bought into the "patch, then patch
    again" and "try to enumerate all the bad stuff" philosophies.
    They're very attractive but they're fundamentally never going
    to work.

    If custom trojans become a mass-media security meme,
    then look for a handful of venture-funded startups in the
    next year, offering bogus products designed to detect
    and trap these custom malware agents. Of course they
    won't work but they'll make a lot of fools sleep better
    and they'll make a lot of canny businessmen rich(er).


    firewall-wizards mailing list

  • Next message: Fritz Ames: "Re: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"

    Relevant Pages

    • Re: Defense in Depth
      ... What is meant by "layers" of security, is this: the entry points that must be ... Physical Layer - Physical access to the resources. ... attacks and other attacks that go after the software itself. ... "layer" in one long chain (lots of firewalls). ...
    • RE: Wireless Security for Home Users
      ... for most home users to create and/or manage 2 firewalls and a DMZ. ... As with most network security, ... investigate additional security features available from the WAP ...
      ... > 1) I don't trust MS products for security related tasks. ... firewalls running on NT? ... necessary steps to mitigate the risk and protect yourself. ... We still had six boxes hit. ...
    • RE: IDS is dead, etc
      ... Most firewall logs are just as tough to decipher as IDSs. ... Automated security analytics is a tough animal I don't care what the system. ... firewalls and IDSs, not just IDSs. ... There is no solution to these problems, therefore IDS is dead and we ...
    • PenTest Checklist
      ... wanted to know what your favorite tools/methods are for testing methods ... F- Web App Testing - tests website as an application for security holes, ... all firewalls should be tested together and ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...