Dailydave mailing list archives
Re: This just in: Firewalls are obsolete
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 12 Jul 2005 01:40:52 +0200
Florian Weimer wrote:
* Gadi Evron:I am getting rather tired of "everything over port 80" and calling everything a firewall this or firewall that.I find it rather instructive to keep in mind that languages like PHP are widely used to implement firewall components. Unfortunately, most PHP developers wouldn't agree. 8->
Erm.. if we go for annoying things..I find it rather annoying that every bit of software out there today demands to be allowed to communicate with its "home base". Can't updates be done differently this advanced day and age?
There's an entire market about to evolve, of machines very similar to MS's SUS server (now a different name) which would relay patches from outside servers to inside servers and then the end machines. The patches are still the same as when they entered the so-called "secure" tunnel, but they went through a few hoops along the way.
Which brings us to another major issue some of us try and solve.. and that never ends.
The only way you have, eventually, to secure any communication coming from the outside is by receiving it first. If for example you want to verify a certificate, you'd have to.. erm.. verify it. You can use web services, kerberos, etc. but eventually the machine people connect to is still potentially vulnerable, and the next machine down the line is vulnerable to it all the way to your CA, DB, LDAP server or whatever else. Only way you can protect it right now is by adding another and yet another hop along the way, which is silly.
I am exaggerating.. but these problems persist and yet nowadays, with all our advanced technology.. we still can't really identify a computer without being potentially vulnerable to replay attacks, certificates being stolen, data being forged, etc. Can you think up of any way to be really sure, with knowledge which is not secret and therefore relies on obscurity or a real security guard, that the computer you are talking to really is that computer?
One might say the same applies to a person, but you can be *reasonably* sure you are talking to Jack Black when he shows you his certificate and passes another test to show he knows the code, as an example.
Gadi.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- This just in: Firewalls are obsolete Jonatan B (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete I)ruid (Jul 12)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)