Re: [fw-wiz] Firewall best practices

_..have you seen qubes OS?

Nice thing and can be configured to do just anything.. but the problem lies
elsewhere: the percentage of people who care about security just enough
to use anything *OTHER* than Windows as their desktop OS is low enough, and
dividing that further leads us to almost non-existant fraction. That's why i
wish some of those VMs were Windows.

On Tue, Apr 27, 2010 at 06:18:40PM -0400, Paul D. Robertson wrote:
On Tue, 27 Apr 2010, Marcus J. Ranum wrote:

scale between "nothing at all" and "utter crap" it's the SSL
situation. I guess that having crypto that sucks so badly that
it's breakable is easier than having to actually ask the question,

Oh, it's much, much worse than that- you're breaking the old red/black
network model by allowing encrypted and unencrypted packets to/from the
same device from different security domains without compartments. But
more importantly all the effort of the overengineered SSLcrap is that the
entire industry focused on the wrong end of the problem. It's not the
server that needs the protection (not to mention that still also breaks
the traditional crypto model- but I tried to advocate around that with a
trusted OS, "too much work" it seems *sigh*.

In Marcus-land the way we'd do it is have crypto that didn't
suck, and firewall rules that permitted outgoing crypto only
to (say, if online banking was an authorized activity during
office hours) a set of supported sites. Yeah, yeah, I know,
Marcus-land isn't a real place...

Even with sucky crypto, the combination of allowing traffic only to
specific sites would be a *major* improvement over the status quo. Couple
that with only allowing trusted executables (Windows Software Restriction
Policies are still better than 98% of what's out there) and you get to a
pretty good place pretty quickly.

In Paul-land, Marcus land would have lots more beer, and Paul would be
allowed much more access!! ;)

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list

firewall-wizards mailing list

email protected and scanned by AdvascanTM - keeping email useful -

firewall-wizards mailing list

Relevant Pages

  • Re: NSA given a back door into every copy of Windows sold
    ... Crypto AG was *not* a similar situation, ... man could fail to see the incentive and payoff for backdooring Windows. ... security from a highly credible risk - billowing smoke is sufficient ...
  • Re: Crypto regulations
    ... >> So the existence of backdoors in Windows is not interesting? ... 25 years of health insurance company abuse of privacy (yes, ... But my point is mainly technical: The US citizenry deserves better crypto ...
  • Re: pam on windows
    ... MSV1_0 package to perfom an intial logon. ... On Windows some crypto information (eg. the user's private keys in crypto ... Also think about security implications: ...
  • RE: pam on windows
    ... Here is the issue with simple yes/no - and why it cannot work on Windows: ... On Windows some crypto information (eg. the user's private keys in crypto ... Also think about security implications: ...
  • RE: AES256 support in Windows 2000 and .NET 2.0
    ... Here is some background on how crypto classes are implemented in .Net. ... of the algorithms are just wrappers around Windows native APIs and some ... actually implement the algorithms inside the framework. ... System.Security.Cryptography.Rijndael is a managed AES ...