Re: Antwort: Re: Facts, not Fiction

["Paul D. Robertson" <proberts () clark net>]

On Mon, 10 Nov 1997 Hartmut.Fehling () Hamburg-Mannheimer de wrote:

> Example: I have an NT-Host behind the FW which is vulnerable to POD or
> NetBIOS-Attacks. However, the FW-Host is supposed to filter out this kind
> of traffic. How far can I trust the _current_ products to do just that?

In an application layer gateway which doesn't forward, you should be able 
to build a high level of trust if you don't have proxies for the 
applications *and* the firewall itself isn't vulnerable.  In a packet 
filtering firewall, as much as you trust the particular implementation.

But of course, proxies get to be the same difficulty when it comes to
things at the application's transport layer.

Trust modeling is complex, and the barriers to entry into a trusted space 
are quite high, and the path long.  That's why you'll see a lot of us 
arguing against jumping to the 'latest and greatest' of anything, be it 
OS, product, or service.  

Your audit points, ability to have good audits, and following the issues 
should give you assurance based on your extension of trust.

Lastly, trust shouldn't be absolute.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280