Firewall Wizards mailing list archives
RE: Hopefully not too OT
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Mon, 02 May 2005 18:10:41 -0400
Ben Nagy wrote:
<soapbox> And, if you want to sleep at night, then build your network so that the concept of "inside" and "outside" aren't important anymore. You should be able to construct an architecture such that even if (WHEN) any random internal machine turns malicious on you then its scope for damage is mitigated by internal controls. Remember that this is exactly what current malware aims to do - subvert 'any' internal machine.[...]
That's a short-term fix, but eventually you can't assume an entire host can be a write-off, and you'll go into application level controls, a trusted computing base, etc., etc. Where we're heading is toward the eventual painful realization and admission that the orange book guys were right all along. It really is all about trust, containment, and controls to define an authorized policy set. Y'know, all that "default deny" stuff?? The computing world/industry has been in complete denial about security since the "desktop revolution" wrested system adminstration from the hands of the professionals who ran the mainframes and gave it to mom and little 5th grader billy. It's a "gift" that has come with a terrible price. Since that day we've been penduluming back and forth between "lightweight desktops" and so forth - the current "appliance" fad is just the next evolution and I don't know what'll replace it but it won't be any solution, either. The problem is that we're just flat-out refusing to think about this stuff in an orderly manner, so we're jumping from quickie fix to quickie fix based on whatever is getting marketing hype this year. It won't work. What disturbs me most is that whenever you say the words "trusted computing" in some environments, people's minds shut down and they start saying "NO! We don't want to go there!" -- the same people who, seconds before, were listing the requirements for their next-generation computer systems and were basically saying they needed trusted computing platforms. I guess eventually we'll grow up about this whole thing. Remember, computing (and computer security) is such a recent invention, that there's certain to be several transformative technical revolutions in the next 50 years - revolutions so profound we can neither predict nor prepare for them. These toys we are playing with today will be like Bleriot's monoplane or Cugnot's steam car in comparison. "Don't sweat it," in other words. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Hopefully not too OT jimmy (May 02)
- Re: Hopefully not too OT David Thiel (May 02)
- Management, Security and best practices for HSM & ATM networks Shimon Silberschlag (May 02)
- RE: Hopefully not too OT Ben Nagy (May 02)
- RE: Hopefully not too OT Marcus J. Ranum (May 02)
- Re: Hopefully not too OT Barney Wolff (May 03)
- Re: Hopefully not too OT Marcus J. Ranum (May 03)
- RE: Hopefully not too OT Marcus J. Ranum (May 02)
- Impeding wireless (was Re: Hopefully not too OT) Kevin (May 02)
- Re: Hopefully not too OT Paul D. Robertson (May 02)
- Re: Hopefully not too OT David Lang (May 02)
- RE: Hopefully not too OT Paul Melson (May 02)
- Re: Hopefully not too OT Jim MacLeod (May 05)
- <Possible follow-ups>
- RE: Hopefully not too OT Behm, Jeffrey L. (May 02)
- RE: Hopefully not too OT Gregory Hicks (May 02)
- Re: Hopefully not too OT Kevin Sheldrake (May 03)