Re: [fw-wiz] Firewall best practices



On Tue, 27 Apr 2010, Marcus J. Ranum wrote:

scale between "nothing at all" and "utter crap" it's the SSL
situation. I guess that having crypto that sucks so badly that
it's breakable is easier than having to actually ask the question,

Oh, it's much, much worse than that- you're breaking the old red/black
network model by allowing encrypted and unencrypted packets to/from the
same device from different security domains without compartments. But
more importantly all the effort of the overengineered SSLcrap is that the
entire industry focused on the wrong end of the problem. It's not the
server that needs the protection (not to mention that still also breaks
the traditional crypto model- but I tried to advocate around that with a
trusted OS, "too much work" it seems *sigh*.

In Marcus-land the way we'd do it is have crypto that didn't
suck, and firewall rules that permitted outgoing crypto only
to (say, if online banking was an authorized activity during
office hours) a set of supported sites. Yeah, yeah, I know,
Marcus-land isn't a real place...

Even with sucky crypto, the combination of allowing traffic only to
specific sites would be a *major* improvement over the status quo. Couple
that with only allowing trusted executables (Windows Software Restriction
Policies are still better than 98% of what's out there) and you get to a
pretty good place pretty quickly.

In Paul-land, Marcus land would have lots more beer, and Paul would be
allowed much more access!! ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages