Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to Save The World

From: Crispin Cowan <crispin () immunix com>
Date: Sun, 12 Dec 2004 19:25:59 -0800
Marcus J. Ranum wrote:


If you drink a couple of shots of tequila to clear your mind of
preconceptions and really think about this Internet Security
stuff, there's a couple of glaringly obvious alternatives that we,
as an industry, have chosen to not explore. What is the cost
of enumerating viruses and malware and running antivirus
software ($19/year/desktop...) versus the cost of telling the
system exactly what code you want to allow to run. (Hmmm,
let's see - I could define my desktop computer's "allow"
list in 3 seconds: Eudora, Opera, Photoshop, Powerpoint,
Word, and directory toolkit)


Put down the tequila :)
Immunix's SubDomain product does pretty much exactly that. While the security benefits are intuitively obvious, and you would /think/ that it would be that simple, it is not. The hard part of this approach is: 

   * Making it actually be simple to enumerate the "allowed" operations
     that your computer should do. The direct/obvious approach can a
     long time to write out. Immunix makes it fast and simple.
   * Making the enumeration flexible enough so that it doesn't break
     next Tuesday when you add something. Immunix does that, too.



For a very long time, now, the industry has been moving
away from "custom code" based on the premise that
software is a commodity and should be treated as
such. But that is obviously an inaccurate premise. If
you question the premise that software is a commodity,
you need to question all the "facts" that follow from it.
I think it is pretty hard to make the case that custom software is often going to be cheaper than commodity software. The reality distortion field here is brought to you by the much more silly notion of standardizing on software from a particular vendor in Redmond. There are two things wrong with that: 

   * the support costs of patching their particularly atrocious
     software are much higher than they need to be
   * it is not a "commodity" any more if you give one vendor monopoly
     control on the supply, and thus total control of the price
So lets not throw the baby out with the bath water. "Commodity" good. "Single source commodity" bad :) 

Crispin

--
Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
CTO, Immunix          http://immunix.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: