Choir, preaching to (was Re: Proxy advantage)

[Bennett Todd <bet () rahul net>]

Computer Security serves a very specific purpose, and that's helping
improve reliability in the face of a hostile world.

If you do or say things that mustn't be known in public, it may serve to
help there, too, but that's neither the sole nor a necessary justification.

Implementing computer security comes at a cost. It may be paid in money, or
time, but it will always be paid in sacrificed flexibility, speed, ease of
use, and so on.

If your security policy lays out the decision criteria well, you can do
things -- like making all IP addresses other than your internal network
unroutable and unreachable to anything but the proxies in your firewall
plant.

If you allow individuals' mobile devices to attach to your network, or vpn
for work from home; or if you allow anyone to install software without
careful review and supervision; or if you allow excessively complex
applications to access excessively complex data from untrusted sources
(say, gui web browsers or email clients), your security stance is cruising
along well below the threshold to repel casual thugs with limited
motivation and expertise.

A low-tech kludge for must-have apps with unacceptable security issues is
to run them on a sandbox machine. Happily, in this day of VMs, the cost of
doing so is smaller than it used to be.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards