Firewall Wizards mailing list archives
Re: Ok, so now we have a firewall, we're safe, right?
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 31 May 2005 00:41:19 -0400
Paul D. Robertson wrote:
AV isn't going to be effective against most custom Trojan Horses.
We've always known that this was the end-game of malware. And I know you've been part of the choir on this particular psalm for a very long time. :) The late 1990's and early 2000's were characterized by a foolish exuberance of connectivity. It's going to take some time to roll that back, and there are going to be a lot of casualties in the process. <Shrug> "Think of it as evolution in action" as Niven and Pournelle would say. Industry has been completely unwilling to listen to sense, and prefers to alternate between burying its head in the sand and beating it against the wall. Neither of those approaches is going to work in the long run but they feed a lot of drones and make stupid people feel good. I characterize those 2 approaches as: -- Use crappy software and try to patch it into a state of non-crappiness -- Try to enumerate (and block) all the bad stuff, rather than enumerating (and permitting) only the good stuff All of what we today call "vulnerability management" patching, auditing, etc, are examples of the first. Antivirus, DPI firewalls, IPS, and poorly configured firewalls are examples of the latter. 99% of the firewalls out there are already _way_ too permissive; they allow arbitrary traffic outbound on many services, because their administrators somehow think that merely controlling port flows is "security" I was swapping Email with a guy last week who was puzzling over "how do you do SMB securely through a firewall?" and he seemed to think I was a nutbar for replying "You can't. Period." As if simply *wishing* it were securable were enough! The recent threads about DPI firewalls have been really depressing to me; I see the signs that a lot of "security practitioners" have bought into the "patch, then patch again" and "try to enumerate all the bad stuff" philosophies. They're very attractive but they're fundamentally never going to work. If custom trojans become a mass-media security meme, then look for a handful of venture-funded startups in the next year, offering bogus products designed to detect and trap these custom malware agents. Of course they won't work but they'll make a lot of fools sleep better and they'll make a lot of canny businessmen rich(er). mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Ok, so now we have a firewall, we're safe, right?, (continued)
- Re: Ok, so now we have a firewall, we're safe, right? Roel Jonkman (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- RE: Ok, so now we have a firewall, we're safe, right? Tina Bird (May 31)
- RE: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Carson Gaspar (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Chris Blask (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Vinicius Moreira Mello (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Marcus J. Ranum (May 31)
- Re: Ok, so now we have a firewall, we're safe, right? Paul D. Robertson (May 31)