Firewall Wizards mailing list archives

Re: A fun smackdown...

From: Chuck Swiger <chuck () codefab com>
Date: Fri, 20 May 2005 11:55:38 -0400

Joseph S D Yao wrote:

On Thu, May 19, 2005 at 09:57:42AM -0400, Chuck Swiger wrote:
On May 19, 2005, at 9:04 AM, Paul D. Robertson wrote:
On Tue, 17 May 2005, Martin wrote:
"Be liberal in what you accept; be strict in what you send."
_All_ effective security controls break that tenet. The more liberalyour controls, the more risk you assume.
There is more to an effective security control than only denying stuff!
...

I'm not sure what all the argument is about.  Perhaps we are agreeing at
the top of our lungs?

Nope. I am convinced that there is some real disagreement lurking amoungst theloud agreement. :-)

I remember a discussion in the 1970s which concluded that PURE security
is exactly opposed to PURE utility.  The most secure computer would be
unplugged and buried beneath tonnes of rock.  Not particularly usable.
The most usable computer would have open access for everybody.  Not
particularly secure.  I don't think anyone here was in that discussion,
but it kind of clarified the pure concepts.

Sure, this defines security much the way that Paul does: the more stuff thesystem denies, the more "secure" it is. A door lock which rejects all keys,even a good key, is more "secure" than a lock which rejects only invalid keys.

I find this definition to be self-consistent, but lacking, and would argue thatsecurity consists of more than just being able to deny stuff really well.


Rule #1: Figure out what you are protecting.
Rule #2: Figure out what you are protecting against.

This includes risk of disclosure, risk of unauthorized access/modification,loss of data, and loss of service availability, etc.

Soon after the firewall idea was made known, and after people who
weren't clear on the balance of security and utility started getting
hold of it, Marcus Ranum introduced his Ultimately Secure Firewall -
which does indeed disallow all network traffic.

<URL: http://www.ranum.com/security/computer_security/papers/a1-firewall/>

Heh...I've passed on two or three times where I wanted to bring up Marcus'wirecutters. :-)

But I think the fact that people are buying expensive 1U firewall boxes fromvendors rather than making Marcus rich from setting wirecutters proves my pointthat permitting access is something that a security device needs to do to be*useful*, barring exceptional cases.


--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: A fun smackdown..., (continued)
- - - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Chuck Swiger (May 19)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Marcus J. Ranum (May 20)
    - Re: A fun smackdown... Chuck Swiger (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Chuck Swiger (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - RE: A fun smackdown... Bill Royds (May 24)
    - Re: A fun smackdown... Joseph S D Yao (May 20)
    - Re: A fun smackdown... Chuck Swiger (May 20)
    - Re: A fun smackdown... Joseph S D Yao (May 20)
    - Re: A fun smackdown... Devdas Bhagat (May 20)
    - Re: A fun smackdown... Carson Gaspar (May 20)
    - Re: A fun smackdown... Marcus J. Ranum (May 20)
    - RE: A fun smackdown... lordchariot (May 21)
    - Re: A fun smackdown... Devdas Bhagat (May 19)
    - Re: A fun smackdown... Martin (May 20)
- RE: A fun smackdown... FirewallAdmin (May 17)
- RE: A fun smackdown... Behm, Jeffrey L. (May 19)
  - RE: A fun smackdown... Paul D. Robertson (May 19)

(Thread continues...)