Firewall Wizards mailing list archives
Re: The Outgoing Traffic Problem
From: Devdas Bhagat <dvb () users sourceforge net>
Date: Wed, 19 Jul 2006 23:02:39 +0530
On 18/07/06 06:24 -0400, Marcus J. Ranum wrote: <snip>
The end-game looks like: operating systems environments that execute only white-listed executables that have been authorized by the system owner or enterprise administrator, combined with
<snip> /me loads up a snazzy AJAX application in the browser. "See, no application installations, no patching, everything works over the web as long as you enable random ActiveX controls and ECMAscript". When applications run in a VM, and the application itself can be dynamically changed, speaking about locking the host down doesn't make sense at all. Web applications give you all the management benefits of centralised applications, but none of the security benefits thereof. They are essentially applications which run on the client, but are downloaded every time you start the app. This is equivalent to copying the application over every time you want to run it, but with a bit less data transfer, since the libraries are already on the client.
a "tie connectivity to a live human" layer for originating network traffic, unless the system is a server (in which case it will be firewalled down to just authorized services).
ECMAScript, XMLRPC, SOAP and HTTP anyone? You only need one hole in the dike, if the hole is big enough.
In the meantime, we'll get more emphasis on patching and anti-badness detectors. As we've seen, anti-badness detectors (IPS, A/V, IDS, anti-spyware, URL filtering, anti-spam) don't really work, unless you're an anti-badness vendor. And, we can see how well patching is working... http://www.ranum.com/security/computer_security/calendar/june.jpg Schneier has written interesting stuff about the difficulty of accurately tying a real human to a keyboard; there are signs that the bad guys are working on how to do man in the middle attacks against "captchas" and 2-factor authentication. For the
I thought they broke captchas a long time ago. Nothing like harnessing the promise of naked women to get humans to do the work of bots. Never send a machine to do a human's job. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: The Outgoing Traffic Problem Mike Barkett (Jul 17)
- Re: The Outgoing Traffic Problem lordchariot (Jul 17)
- Re: The Outgoing Traffic Problem Marcus J. Ranum (Jul 18)
- Re: The Outgoing Traffic Problem Paul D. Robertson (Jul 18)
- Re: The Outgoing Traffic Problem Paul D. Robertson (Jul 18)
- Re: The Outgoing Traffic Problem ArkanoiD (Jul 20)
- Re: The Outgoing Traffic Problem Marcus J. Ranum (Jul 19)
- Re: The Outgoing Traffic Problem Devdas Bhagat (Jul 19)
- Re: The Outgoing Traffic Problem Marcus J. Ranum (Jul 19)
- Re: The Outgoing Traffic Problem Marcus J. Ranum (Jul 18)
- Re: The Outgoing Traffic Problem lordchariot (Jul 17)
- <Possible follow-ups>
- Re: The Outgoing Traffic Problem vern (Jul 18)
- Re: The Outgoing Traffic Problem Fetch, Brandon (Jul 27)
- Re: The Outgoing Traffic Problem Paul D. Robertson (Jul 27)