Well said. I've been following this discussion since its inception but have
reserved comment since so many like Frederick and have done such a excellent
job of expressing my views. I would like to add this note.
It took 25 years for the mainframe industry to implement secure that could
be considered "due care." That was on a single machine connected to
terminals. Now add the complexities of PCs, Windows, networking,
client-server, clusters, etc. and you have an environment that is a order of
magnitude more complex. Complex to the point that it is unlike it will
every reach a standard of due care in my lifetime. Or to put it another
way, it's so complex we CANNOT make it secure. All we can do is provide
purdent and reasonable measures that reduce risk.
Firewall servers reduce risk, filtering routers reduce risk, authentication
servers reduce risk, personnel training reduces risk even more but nobody's
single solution is a talasman. In my opinion one thing that would go a long
way toward resolving many of the security issues we face is for us (the
computing community) to refuse to purchase software that is designed without
regard for security. I would like to suggest, even further, that we refuse
to accept license agreements that eliminate the manufacture's liability if
their products do not perform as advertised and in so doing put our
companies at risk. Until we are willing to hold the manufacturer's "feet to
the fire," we are going to continue to get sub-standard products with
overstated claims.
Just think about it. The manufacturer is focused on features and
time-to-market so they short cut the engineering and testing processes and
don't bother building in the necessary safety features. Then to cover
themselves create a license agreement that eliminates their liability. They
place a seal on the doors so when you open the door you automatically agree
to the license. Would you buy an automobile from this manufacturer?
:-} End soap-box {-:
> -----Original Message-----
> From: Frederick M Avolio [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, May 27, 1999 4:19 AM
> To: Jen; Marcus J. Ranum
> Cc: [EMAIL PROTECTED]
> Subject: Re: DCOM on Gauntlet
>
> I fear when I read Jen's answer that many others also would have failed to
> *get* what Marcus wrote. He didn't say anything about needing or wanting
> or
> requiring absolute security. He didn't say that putting something in place
> to make your security better, even if not perfect, was a bad thing. (I'm
> ignoring Don Hoffmano's answer because I assume he was joking and if
> not...
> well, I'm embarrassed for him.)
>
> This is what I think I read, and I recommmend people read it again:
>
> - more than ever before, firewalls are considered by many to be a
> magic
> device, a talasman, a provider of security just by its presence.
>
> - if the firewall is potentially highly granular like many proxy
> based
> firewalls
> are and stateful inspection firewalls *could be*, but all you are
> doing
> is plugging or filtering based on source and destination without
> doing
> any processing of the data, why imflict the overhead on your users
> --
> use a packet filter.
>
> - as long as you insist on doing things in this order: determine the
> business
> needs (really "wants") without doing a risk assessment and without
> pushing back,
> then develop a "security policy" which allows the desired
> services, and then
> configuring your firewall with holes to allow those services, you
> are
> using the
> firewall as a talasman... you may as well not have one.
>
> - While many firewalls do provide logging, most people never look at
> the
> logs. Again,
> protection by talasman. (I don't know if Marcus said this, but he
> should
> have if he didn't. :-))
>
> Firewall vendors are giving people what they will buy. They have an
> obligation to their stockholders to do that. And the customers are happy.
> There is more discussion about a firewall vendor's dropping support of an
> operating system than there is about whether they do things as securely as
> they could. The questions here are rarely, "Can I do thus-and-so
> securely?"
> and more often "How can I get thus-and-so through my firewall?"
>
> On the other hand the situation -- from the 30,000 foot level -- is not
> much different than it was 5 years ago. A small set of people and
> organizations are well protected and the rest just think they are.
>
>
> Fred
> Avolio Consulting
> 16228 Frederick Road, PO Box 609, Lisbon, MD 21765
> 410-309-6910 (voice) 410-309-6911 (fax)
> http://www.avolio.com/
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
