Firewall Wizards mailing list archives
Re: A fun smackdown...
From: Chuck Swiger <chuck () codefab com>
Date: Fri, 20 May 2005 11:55:38 -0400
Joseph S D Yao wrote:
On Thu, May 19, 2005 at 09:57:42AM -0400, Chuck Swiger wrote:On May 19, 2005, at 9:04 AM, Paul D. Robertson wrote:On Tue, 17 May 2005, Martin wrote:"Be liberal in what you accept; be strict in what you send."_All_ effective security controls break that tenet. The more liberal your controls, the more risk you assume.There is more to an effective security control than only denying stuff!... I'm not sure what all the argument is about. Perhaps we are agreeing at the top of our lungs?
Nope. I am convinced that there is some real disagreement lurking amoungst the loud agreement. :-)
I remember a discussion in the 1970s which concluded that PURE security is exactly opposed to PURE utility. The most secure computer would be unplugged and buried beneath tonnes of rock. Not particularly usable. The most usable computer would have open access for everybody. Not particularly secure. I don't think anyone here was in that discussion, but it kind of clarified the pure concepts.
Sure, this defines security much the way that Paul does: the more stuff the system denies, the more "secure" it is. A door lock which rejects all keys, even a good key, is more "secure" than a lock which rejects only invalid keys.
I find this definition to be self-consistent, but lacking, and would argue that security consists of more than just being able to deny stuff really well.
Rule #1: Figure out what you are protecting. Rule #2: Figure out what you are protecting against.This includes risk of disclosure, risk of unauthorized access/modification, loss of data, and loss of service availability, etc.
Soon after the firewall idea was made known, and after people who weren't clear on the balance of security and utility started getting hold of it, Marcus Ranum introduced his Ultimately Secure Firewall - which does indeed disallow all network traffic. <URL: http://www.ranum.com/security/computer_security/papers/a1-firewall/>
Heh...I've passed on two or three times where I wanted to bring up Marcus' wirecutters. :-)
But I think the fact that people are buying expensive 1U firewall boxes from vendors rather than making Marcus rich from setting wirecutters proves my point that permitting access is something that a security device needs to do to be *useful*, barring exceptional cases.
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: A fun smackdown..., (continued)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Chuck Swiger (May 19)
- Re: A fun smackdown... Paul D. Robertson (May 19)
- Re: A fun smackdown... Marcus J. Ranum (May 20)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- Re: A fun smackdown... Chuck Swiger (May 21)
- Re: A fun smackdown... Marcus J. Ranum (May 21)
- RE: A fun smackdown... Bill Royds (May 24)
- Re: A fun smackdown... Joseph S D Yao (May 20)
- Re: A fun smackdown... Chuck Swiger (May 20)
- Re: A fun smackdown... Joseph S D Yao (May 20)
- Re: A fun smackdown... Devdas Bhagat (May 20)
- Re: A fun smackdown... Carson Gaspar (May 20)
- Re: A fun smackdown... Marcus J. Ranum (May 20)
- RE: A fun smackdown... lordchariot (May 21)
- Re: A fun smackdown... Devdas Bhagat (May 19)
- Re: A fun smackdown... Martin (May 20)
- RE: A fun smackdown... Paul D. Robertson (May 19)