Firewall Wizards mailing list archives
Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP?
From: Darren Reed <darrenr () reed wattle id au>
Date: Tue, 19 Jul 2005 03:42:42 +1000 (EST)
To return to a long forgotten about thead...
On Sun, 5 Jun 2005, Darren Reed wrote:Security is about staid and static- that's part of the issue of why it's difficult to inject it into companies that don't have a real driver for it.I disagree. Security is about being conservative, which doesn't necessarily imply being static/staid. I think being static/staid canOh, but it does- the essence of security is about the tried and true. Basic principles haven't changed in thousands of years, even when applied to new technologies. Security evolves very slowly, which is why the marketing weasels have so much trouble with it.lead you down a path that can increase your security risk rather than maintain it. I think being conservative, when it comes to IT, is just plain HARD and this is why companies find it difficult.Google define: conservative:
.. It might be similar to staid, but it's not the same as static.
Anything poorly implemented can increase your security risk, however it's very rare that disallowing new content is one of them.
I'd contend that when it comes to the web, by default you generally allow new content, whether you like it or not and may at some time later decide it is bad.
I also think you're wrong about security needing to be a governor, because security types are too conservative and being a governor is to try and manage a situation you have no real control over. THeyYou're assuming security people don't have control. This, I think is Marcus's main point about giving in too soon. If I have the passwords to the firewall, I have control over what traverses it.
I'll argue that you don't have control over what traverses it - in terms of content. You might control who connects to what.
As with the web, so too with any popular technology, if the designers aren't security savvy then we will have problems by design, later. If security misses out at this step then it is very hard to shove it into the box later.Which is why we prefer to slow them down and make them get it right than to react to their dynamic ideas.
I don't think time makes any difference. Things need to be forced through peer review with security analysis as the primary objective of evaluation. Put a bunch of Microsoft programmers in a room and it won't matter if you give them 6 months or 6 years, they'll still come up with something insecure at the end. The only difference the time will be the number of useless features. Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Is NAT in OpenBSD PF UPnP enabled or Non UPnP? Darren Reed (Jul 21)