Firewall Wizards mailing list archives

Re: A fun smackdown...

From: Joseph S D Yao <jsdy () center osis gov>
Date: Fri, 20 May 2005 10:16:04 -0400

On Thu, May 19, 2005 at 09:57:42AM -0400, Chuck Swiger wrote:

On May 19, 2005, at 9:04 AM, Paul D. Robertson wrote:

On Tue, 17 May 2005, Martin wrote:

"Be liberal in what you accept; be strict in what you send."


_All_ effective security controls break that tenet.  The more liberal 
your
controls, the more risk you assume.


There is more to an effective security control than only denying stuff!

...

I'm not sure what all the argument is about.  Perhaps we are agreeing at
the top of our lungs?

I remember a discussion in the 1970s which concluded that PURE security
is exactly opposed to PURE utility.  The most secure computer would be
unplugged and buried beneath tonnes of rock.  Not particularly usable.
The most usable computer would have open access for everybody.  Not
particularly secure.  I don't think anyone here was in that discussion,
but it kind of clarified the pure concepts.

Soon after the firewall idea was made known, and after people who
weren't clear on the balance of security and utility started getting
hold of it, Marcus Ranum introduced his Ultimately Secure Firewall -
which does indeed disallow all network traffic.

<URL: http://www.ranum.com/security/computer_security/papers/a1-firewall/>

Ah, I see he has now made it the Ultimately Secure Intrusion Prevention
System ("featuring signature-less anomaly detection and blocking
technology!!").  ;-)

The SECURITY PERSON'S JOB, along with the systems and networks
administrators, is to achieve the best balance between maximum security
and maximum utility.  Chuck, I think that this is what you were thinking
of, vice Paul's insistence on what the pure functions were.  I think
that Paul would agree with this, if he has not been all along.

-- 
Joe Yao
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: A fun smackdown..., (continued)
- - - Re: A fun smackdown... Chuck Swiger (May 19)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Chuck Swiger (May 19)
    - Re: A fun smackdown... Paul D. Robertson (May 19)
    - Re: A fun smackdown... Marcus J. Ranum (May 20)
    - Re: A fun smackdown... Chuck Swiger (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - Re: A fun smackdown... Chuck Swiger (May 21)
    - Re: A fun smackdown... Marcus J. Ranum (May 21)
    - RE: A fun smackdown... Bill Royds (May 24)
    - Re: A fun smackdown... Joseph S D Yao (May 20)
    - Re: A fun smackdown... Chuck Swiger (May 20)
    - Re: A fun smackdown... Joseph S D Yao (May 20)
    - Re: A fun smackdown... Devdas Bhagat (May 20)
    - Re: A fun smackdown... Carson Gaspar (May 20)
    - Re: A fun smackdown... Marcus J. Ranum (May 20)
    - RE: A fun smackdown... lordchariot (May 21)
    - Re: A fun smackdown... Devdas Bhagat (May 19)
    - Re: A fun smackdown... Martin (May 20)
- RE: A fun smackdown... FirewallAdmin (May 17)
- RE: A fun smackdown... Behm, Jeffrey L. (May 19)

(Thread continues...)