Re: Firewall Primitives

[Adam Shostack <adam () homeport org>]

On Wed, Nov 06, 2002 at 04:31:50PM -0500, Marcus J. Ranum wrote:
| Older systems _were_ perfectly capable of doing checks for malicious
| behavior. A few of them did, even the first proxy firewalls. The
| reason firewalls don't do exhaustive checks has more to do with
| market dynamics and time-to-market than it does with performance
| issues in doing fast checks. Simply put: most customers would rather
| buy something that says "gigabit" on the marketing glossies than
| something that says "freakin' intensely secure"

I may lose my curmudgeon card for this, but, I'll suggest that for
almost all customers, thats the right choice.  That's not to say that
almost all customers prefer speed to security.  However, speed claims
are relatively easy to verify.  Security claims are really hard to
verify.  Given that marketing can stamp "freakin' intensely secure"
where they want, but that stamping 'gigabit' on something is
falsifiable, everyone stamps "FIS," making it useless as a decision
making criteria.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards