Firewall Wizards mailing list archives
Re: Firewall best practices
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 27 Apr 2010 18:18:40 -0400 (EDT)
On Tue, 27 Apr 2010, Marcus J. Ranum wrote:
scale between "nothing at all" and "utter crap" it's the SSL situation. I guess that having crypto that sucks so badly that it's breakable is easier than having to actually ask the question,
Oh, it's much, much worse than that- you're breaking the old red/black network model by allowing encrypted and unencrypted packets to/from the same device from different security domains without compartments. But more importantly all the effort of the overengineered SSLcrap is that the entire industry focused on the wrong end of the problem. It's not the server that needs the protection (not to mention that still also breaks the traditional crypto model- but I tried to advocate around that with a trusted OS, "too much work" it seems *sigh*.
In Marcus-land the way we'd do it is have crypto that didn't suck, and firewall rules that permitted outgoing crypto only to (say, if online banking was an authorized activity during office hours) a set of supported sites. Yeah, yeah, I know, Marcus-land isn't a real place...
Even with sucky crypto, the combination of allowing traffic only to specific sites would be a *major* improvement over the status quo. Couple that with only allowing trusted executables (Windows Software Restriction Policies are still better than 98% of what's out there) and you get to a pretty good place pretty quickly. In Paul-land, Marcus land would have lots more beer, and Paul would be allowed much more access!! ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall best practices, (continued)
- Re: Firewall best practices Martin Barry (Apr 22)
- Re: Firewall best practices Marcus J. Ranum (Apr 22)
- Re: Firewall best practices Martin Barry (Apr 23)
- Re: Firewall best practices Marcus J. Ranum (Apr 26)
- Re: Firewall best practices Carson Gaspar (Apr 27)
- Re: Firewall best practices ArkanoiD (Apr 28)
- Re: Firewall best practices david (Apr 26)
- Re: Firewall best practices John Morrison (Apr 27)
- Re: Firewall best practices Harrell, Matthew (Apr 27)
- Re: Firewall best practices Marcus J. Ranum (Apr 27)
- Re: Firewall best practices Paul D. Robertson (Apr 27)
- Re: Firewall best practices ArkanoiD (Apr 30)
- Re: Firewall best practices Andre Lima (Apr 30)
- Re: Firewall best practices Dave Piscitello (Apr 28)
- Re: Firewall best practices ArkanoiD (Apr 28)
- Re: Firewall best practices Nate Itkin (Apr 27)
- Re: Firewall best practices Dave Piscitello (Apr 27)
- Re: Firewall best practices Carson Gaspar (Apr 27)
- Re: Firewall best practices Fetch, Brandon (Apr 27)
- Re: Firewall best practices lordchariot (Apr 28)
- Re: Firewall best practices Bruce B. Platt (Apr 30)