Re: [fw-wiz] Firewall best practices
- From: ArkanoiD <ark@xxxxxxxxx>
- Date: Wed, 28 Apr 2010 21:03:08 +0400
_..have you seen qubes OS?
Nice thing and can be configured to do just anything.. but the problem lies
elsewhere: the percentage of people who care about security just enough
to use anything *OTHER* than Windows as their desktop OS is low enough, and
dividing that further leads us to almost non-existant fraction. That's why i
wish some of those VMs were Windows.
On Tue, Apr 27, 2010 at 06:18:40PM -0400, Paul D. Robertson wrote:
On Tue, 27 Apr 2010, Marcus J. Ranum wrote:
scale between "nothing at all" and "utter crap" it's the SSL
situation. I guess that having crypto that sucks so badly that
it's breakable is easier than having to actually ask the question,
Oh, it's much, much worse than that- you're breaking the old red/black
network model by allowing encrypted and unencrypted packets to/from the
same device from different security domains without compartments. But
more importantly all the effort of the overengineered SSLcrap is that the
entire industry focused on the wrong end of the problem. It's not the
server that needs the protection (not to mention that still also breaks
the traditional crypto model- but I tried to advocate around that with a
trusted OS, "too much work" it seems *sigh*.
In Marcus-land the way we'd do it is have crypto that didn't
suck, and firewall rules that permitted outgoing crypto only
to (say, if online banking was an authorized activity during
office hours) a set of supported sites. Yeah, yeah, I know,
Marcus-land isn't a real place...
Even with sucky crypto, the combination of allowing traffic only to
specific sites would be a *major* improvement over the status quo. Couple
that with only allowing trusted executables (Windows Software Restriction
Policies are still better than 98% of what's out there) and you get to a
pretty good place pretty quickly.
In Paul-land, Marcus land would have lots more beer, and Paul would be
allowed much more access!! ;)
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
email protected and scanned by AdvascanTM - keeping email useful - www.advascan.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Re: [fw-wiz] Firewall best practices
- From: Marcus J. Ranum
- Re: [fw-wiz] Firewall best practices
- From: Paul D. Robertson
- Re: [fw-wiz] Firewall best practices
- Prev by Date: Re: [fw-wiz] Looking for firewall mgmt solution
- Next by Date: Re: [fw-wiz] Firewall best practices
- Previous by thread: Re: [fw-wiz] Firewall best practices
- Next by thread: Re: [fw-wiz] Firewall best practices
- Index(es):
Relevant Pages
|
