Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tunnel vs open a hole

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sun, 06 Apr 2003 21:12:13 -0400
Barney Wolff wrote:

In the good old days, the definition of "firewall" was "that which
implements your security policy" rather than "the box with that label".


Hey!!! I remember that definition!! <LOL>   .. I ought to.....


The implication of this reasoning is clear:  If you don't control the
internal tunnel endpoint(s), you don't control your security policy.


Yup. The problem is that there's so much shovelware, spyware, trojanware,
and social-engineerware that you DON'T really control the endpoints, you
just think you do. I've seen waaaay too many companies think "we have a
firewall, so we don't need to worry" - and not have antivirus software on
their interior machines because they are "safe" behind the firewall. It's
scary. :(  We made a big mistake when we started building firewalls that
allowed outgoing connections that were not individually authenticated and
associated with a human user's request.

mjr. 
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: