Firewall Wizards mailing list archives
Re: Host Based Packet Filters (was: OT: The Morris worm to Nimda, how little we've learned or gained)
From: Bill_Royds () pch gc ca
Date: Mon, 7 Jan 2002 10:03:10 -0500
The problem with using OpenBSD as a desktop is not security but functionality. If I can't get the job done using the secure tools, then the secure tools won't be used. The trade-off many corporations take is to use insecure but "user-friendly" Microsoft products on an internal network and more hardened Solaris/OpenBSD/Linux etc, on the Internet-facing side. The product that separates one from the other is called a firewall. The problem then arises in how to make the firewall enforce that separation securely. As some have found, the only secure firewall is a complete gap. No network connections between internal and external. But this now loses productivity as well, so the pressures on network designers, security designers and system administrators etc. is to find an acceptable compromise. One that has enough security but not so much as to reduce functionality below an economic level. When all the functionality of software that makes enterprises work is available on a secure OS (and MS will never make that OS), then we can convert to that OS. Until then, we need to reach a compromise. Yes, personal firewalls are not perfect. But they can reduce the risk of certain security problems at an acceptable cost. Security is not preventing all possible harm, it is limiting harm to an acceptable level compared to cost. Bill Royds System Administrator, CHIN ph: (819) 994-1200 X 239 "Robin S. Socha" <robin-dated-1010506831.4920dd () socha net> 01/05/02 12:15 PM To: firewall-wizards () nfr net cc: (bcc: Bill Royds/HullOttawa/PCH/CA) Subject: Host Based Packet Filters (was: OT: [fw-wiz] The Morris worm to Nimda, how little we've learned or gained) <snip> You make it appear as if secure programming was impossible and only sprinkling some magic personal firewall dust can make a system secure. That, if you pardon my french, is bullshit. http://cr.yp.to/qmail/guarantee.html nicely wraps up the basic concepts of how to write secure code. Compare qmail to sendmail to Exchange - getting the drift? Then take a look at http://www.openbsd.org/security.html and compare OpenBSD to Linux to Win2k - see the similarity? Secure code is small, and modularized. Secure systems only have the functionality you need and nothing more. If you call this "user unfriendly", then you've made a risk assessment and decided for yourself that you believe in voodoo programming, fixing broken systems by adding obscure code and trusting companies with a track record that speaks for itself (if you consider root exploits "remote administration tools"). But don't make the mistake of presenting your version of the truth as an absolute truth. Because it is not. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Host Based Packet Filters (was: OT: The Morris worm to Nimda, how little we've learned or gained) Bill_Royds (Jan 07)