Firewall Wizards mailing list archives
Choir, preaching to (was Re: Proxy advantage)
From: Bennett Todd <bet () rahul net>
Date: Tue, 16 Apr 2013 17:57:49 -0400
Computer Security serves a very specific purpose, and that's helping improve reliability in the face of a hostile world. If you do or say things that mustn't be known in public, it may serve to help there, too, but that's neither the sole nor a necessary justification. Implementing computer security comes at a cost. It may be paid in money, or time, but it will always be paid in sacrificed flexibility, speed, ease of use, and so on. If your security policy lays out the decision criteria well, you can do things -- like making all IP addresses other than your internal network unroutable and unreachable to anything but the proxies in your firewall plant. If you allow individuals' mobile devices to attach to your network, or vpn for work from home; or if you allow anyone to install software without careful review and supervision; or if you allow excessively complex applications to access excessively complex data from untrusted sources (say, gui web browsers or email clients), your security stance is cruising along well below the threshold to repel casual thugs with limited motivation and expertise. A low-tech kludge for must-have apps with unacceptable security issues is to run them on a sandbox machine. Happily, in this day of VMs, the cost of doing so is smaller than it used to be.
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Choir, preaching to (was Re: Proxy advantage) Bennett Todd (Apr 16)
- Re: Choir, preaching to (was Re: Proxy advantage) Marcus Ranum (Apr 18)