Re: [fw-wiz] Is NAT in OpenBSD PF UPnP enabled or Non UPnP?

From: Darren Reed (darrenr_at_reed.wattle.id.au)
Date: 07/18/05

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] The Death Of A Firewall"
    To: "Paul D. Robertson" <paul@compuwar.net>
    Date: Tue, 19 Jul 2005 03:42:42 +1000 (EST)
    
    

    To return to a long forgotten about thead...

    > On Sun, 5 Jun 2005, Darren Reed wrote:
    >
    > > > Security is about staid and static- that's part of the issue of why it's
    > > > difficult to inject it into companies that don't have a real driver for
    > > > it.
    > >
    > > I disagree. Security is about being conservative, which doesn't
    > > necessarily imply being static/staid. I think being static/staid can
    >
    > Oh, but it does- the essence of security is about the tried and true.
    > Basic principles haven't changed in thousands of years, even when applied
    > to new technologies. Security evolves very slowly, which is why the
    > marketing weasels have so much trouble with it.
    >
    > > lead you down a path that can increase your security risk rather than
    > > maintain it. I think being conservative, when it comes to IT, is just
    > > plain HARD and this is why companies find it difficult.
    >
    > Google define: conservative:
    ..

    It might be similar to staid, but it's not the same as static.

    > Anything poorly implemented can increase your security risk, however it's
    > very rare that disallowing new content is one of them.

    I'd contend that when it comes to the web, by default you generally
    allow new content, whether you like it or not and may at some time
    later decide it is bad.

    > > I also think you're wrong about security needing to be a governor,
    > > because security types are too conservative and being a governor is
    > > to try and manage a situation you have no real control over. THey
    >
    > You're assuming security people don't have control. This, I think is
    > Marcus's main point about giving in too soon. If I have the passwords to
    > the firewall, I have control over what traverses it.

    I'll argue that you don't have control over what traverses it - in terms
    of content. You might control who connects to what.

    > > As with the web, so too with any popular technology,
    > > if the designers aren't security savvy then we will have problems by
    > > design, later. If security misses out at this step then it is very hard
    > > to shove it into the box later.
    >
    > Which is why we prefer to slow them down and make them get it right than
    > to react to their dynamic ideas.

    I don't think time makes any difference. Things need to be forced
    through peer review with security analysis as the primary objective
    of evaluation. Put a bunch of Microsoft programmers in a room and
    it won't matter if you give them 6 months or 6 years, they'll still
    come up with something insecure at the end. The only difference
    the time will be the number of useless features.

    Darren
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Marcus J. Ranum: "Re: [fw-wiz] The Death Of A Firewall"

    Relevant Pages

    • Re: No Wonder Kodak Went Broke ...
      ... Many emotions in general ... Many activities are without risk. ... security "experts" didn't supports my contention that the security experts ... I don't allow emotion to control my behavior. ...
      (rec.photo.digital)
    • [NEWS] HelixPlayer Based Players Format String
      ... Get your security news from a reliable source. ... media player for Linux, Solaris (versions for other operating systems are ... between 0x0822** - 0x082f** and with control of one pointer at a time ... $ An open security advisory #13 - RealPlayer and Helix Player Remote ...
      (Securiteam)
    • Re: why microsoft choose mfc rather than wtl?
      ... to lower security settings, etc. ... For a client to get ... the particular AX control is never accessed, shown, or downloaded. ... unethical to deliver an automobile to customers because it is possible ...
      (microsoft.public.vc.mfc)
    • A Way to Attack Nuclear Plants
      ... Industrial computer systems are typically far less secure than they ... officials in Iran confirmed that Stuxnet ... PLCs connect to, and control, devices ... security experts say. ...
      (sci.military.naval)
    • Re: Linux security
      ... that is in Windows NT-based systems out of the box. ... Why do you want that fine level of control? ... level of control over security?" ... a file system is a different beast altogether. ...
      (Ubuntu)