Firewall Wizards mailing list archives
Re: firewalls and the incoming traffic problem
From: Bennett Todd <bet () rahul net>
Date: Mon, 29 Sep 1997 08:45:21 -0700
On Sun, Sep 28, 1997 at 11:51:31PM -0000, Itai Dor-on wrote:
I tend to disagree with your point of view regarding the propose of the firewall system.
Before disagreeing, make sure you've correctly read his position ... tricky, as mjr is a subtle author, and language barriers can make it easy to get fooled. It's worth knowing that Marcus is the original author of the TIS Firewall Toolkit, the foundation of the Gauntlet firewall from TIS, which is in turn the basis for the V-One Smartwall of V-One Corp., at which company mjr was Chief Scientist until he spun off into his mysterious new company Network Flight Recorder.
From your post I understand that you see firewalls mainly as pure "packet filters".
I believe rather that he sees that as a popular market perspective. He's the author of certainly the oldest, and possibly the most widely-used to this day, proxy-based commercial firewall. But he wasn't commenting on the nature of the security implementation _he_ would set up --- or even anyone who knows enough to do a competant job. There aren't enough of us to go around by several orders of magnitude. I think mjr was talking about the perspective of your typical ignorant customer, buying a box called a ``firewall'' from your equally-ignorant typical vendor. in that market ease of configuration is the critical selling point, so there's no point in the kind of complex and subtle features required to implement a complex security policy. Your commercial firewall thus ends up being a mildly enhanced screening router with a friendly web-based configuration screen.
Suppose I am customer that runs firewall-1 as my main security defense and I was doing a market research for a new Internet mail server.
I think you miss the thrust of mjr's argument; the problems with mail _servers_ can be addressed (whether they are or not); just get a secure one, like qmail from Dan Bernstein, or the currently-under-development MTA from Wietse Venema (the other two leading names, besides mjr, in security programming). If you care about MTA security it's there for the downloading. But how are you going to secure Mail _User_ agents (MUAs)? It's possible, as far as I know, that someone who uses Netscape for their email might possibly have some security, but I wouldn't bet on it; I think it's liklier that anyone who reads email with netscape can have every file they can access shipped out to an attacker, without them ever knowing it. It's not that the authors of Netscape are malicious; they're just terribly terribly stupid. MSIE is far far worse. -Bennett
Current thread:
- Re: firewalls and the incoming traffic problem, (continued)
- Re: firewalls and the incoming traffic problem Aleph One (Sep 28)
- Re: firewalls and the incoming traffic problem neil d. quiogue (Sep 29)
- Re: firewalls and the incoming traffic problem Aleph One (Sep 30)
- Re: firewalls and the incoming traffic problem neil d. quiogue (Sep 29)
- Re: firewalls and the incoming traffic problem Darren Reed (Sep 28)
- Re: firewalls and the incoming traffic problem Bennett Todd (Sep 29)
- Re: firewalls and the incoming traffic problem Leonard Miyata (Sep 30)
- Re: firewalls and the incoming traffic problem Anton J Aylward (Sep 28)
- Firewall administration. Darren Reed (Sep 29)
- Re: Firewall administration. Bennett Todd (Sep 30)
- Firewall administration. Darren Reed (Sep 29)
- RE: firewalls and the incoming traffic problem Itai Dor-on (Sep 28)
- Re: firewalls and the incoming traffic problem Bennett Todd (Sep 29)
- RE: firewalls and the incoming traffic problem Dana Nowell (Sep 29)
- Re: firewalls and the incoming traffic problem Aleph One (Sep 28)