Firewall Wizards mailing list archives

Re: Firewall best practices

From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 27 Apr 2010 18:18:40 -0400 (EDT)

On Tue, 27 Apr 2010, Marcus J. Ranum wrote:

scale between "nothing at all" and "utter crap" it's the SSL
situation. I guess that having crypto that sucks so badly that
it's breakable is easier than having to actually ask the question,


Oh, it's much, much worse than that- you're breaking the old red/black 
network model by allowing encrypted and unencrypted packets to/from the 
same device from different security domains without compartments.  But 
more importantly all the effort of the overengineered SSLcrap is that the 
entire industry focused on the wrong end of the problem.  It's not the 
server that needs the protection (not to mention that still also breaks 
the traditional crypto model- but I tried to advocate around that with a 
trusted OS, "too much work" it seems *sigh*.


In Marcus-land the way we'd do it is have crypto that didn't
suck, and firewall rules that permitted outgoing crypto only
to (say, if online banking was an authorized activity during
office hours) a set of supported sites. Yeah, yeah, I know,
Marcus-land isn't a real place...


Even with sucky crypto, the combination of allowing traffic only to 
specific sites would be a *major* improvement over the status quo.  Couple 
that with only allowing trusted executables (Windows Software Restriction 
Policies are still better than 98% of what's out there) and you get to a 
pretty good place pretty quickly.

In Paul-land, Marcus land would have lots more beer, and Paul would be 
allowed much more access!! ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewall best practices, (continued)
- - - Re: Firewall best practices Martin Barry (Apr 22)
    - Re: Firewall best practices Marcus J. Ranum (Apr 22)
    - Re: Firewall best practices Martin Barry (Apr 23)
    - Re: Firewall best practices Marcus J. Ranum (Apr 26)
    - Re: Firewall best practices Carson Gaspar (Apr 27)
    - Re: Firewall best practices ArkanoiD (Apr 28)
    - Re: Firewall best practices david (Apr 26)
    - Re: Firewall best practices John Morrison (Apr 27)
    - Re: Firewall best practices Harrell, Matthew (Apr 27)
    - Re: Firewall best practices Marcus J. Ranum (Apr 27)
    - Re: Firewall best practices Paul D. Robertson (Apr 27)
    - Re: Firewall best practices ArkanoiD (Apr 30)
    - Re: Firewall best practices Andre Lima (Apr 30)
    - Re: Firewall best practices Dave Piscitello (Apr 28)
    - Re: Firewall best practices ArkanoiD (Apr 28)
    - Re: Firewall best practices Nate Itkin (Apr 27)
    - Re: Firewall best practices Dave Piscitello (Apr 27)
    - Re: Firewall best practices Carson Gaspar (Apr 27)
    - Re: Firewall best practices Fetch, Brandon (Apr 27)
    - Re: Firewall best practices lordchariot (Apr 28)
    - Re: Firewall best practices Bruce B. Platt (Apr 30)

(Thread continues...)