>We've rediscovered the fact that the majority or proxy based firewalls for
>anything but a few well known protocols are probably not much better that
>packet filters, and we've ranted about how this is bad.
I don't think most of the existing products are as bad as all that.
>Is it the job of the industry to protect us from poor IT management or poor
>IT consultants?
No. Unfortunately, that's the job of the security admin.
>If a company takes a considered risk assessment and says
>"Well, bugger it. I have bucket loads of insurance and I _want_ to run ICQ
>to every host on my network" then isn't it the job of firewall vendors to
>let them? At the end of the day, the customer is the customer, and they need
>to make their own decisions about how stupid they want to be.
This is the pivotal point: Does that firewall vendor want to be known for
being flexible, or do they want to be known for being conservative
and secure. The market is greatly favoring the flexible vendors
(and I use that type, FW1) and this is unfortunate for security admins
who would rather have conservative and secure. Since flexible is
winning with sales, it's effectively killing off conservative and secure.
>Where does the problem lie? Why is it that so few people in the "real world"
>are aware of security issues, or are prepared to take them seriously?
Because it's a hard problem, and it's inconvienient. People don't
like that.
>Sometimes I don't know if all of us security guys are just paranoid freaks
>or if the industry at large are starry-eyed lambs romping into the big happy
>safe Internet which is there for the good of all.
Yes to both. We know how bad the problems are... no one is listening
to us. The white hat hackers are spreading the word.
>Doesn't writing firewall
>software that won't let you do things because in the opinion of firewall
>vendors "that's bad" sound wrong to you guys?
Nope. Again, there's a really big market for firewalls that give the
impression of security, and still let all your dangerous, stupid
protocols work.
>I mean, I'm all there in terms of agreeing that too many sites are
>completely deluded about security, and I concede the very valid point that
>the new boom in firewalls for the masses has probably contributed to this. I
>think the biggest problems we have are lack of expertise - there aren't
>enough security people with a clue
I disagree somewhat. I don't think being a security guy is as hard as some
here make it out to be. The ideal security guy understands all the politics,
and policies, and is also a technical whiz. It's easy for many of us to
be perfectionists and accuse someone else of being 100% worthless
as a security person, strictly because they don't understand every subtlety
of some obscure protocol. I believe that even moderately trained people
can do the security admin job, if...
>and lack of acceptance - nobody is
>prepared to take security seriously enough to spend some money on it.
Bingo! A company can hire the best security guy in the world.. and then
force him to do really stupid stuff. People really don't want to hear how
hard it is to do security right. They want a warm fuzzy.. and then they
want to run off and run NetMeeting.
>Now
>either we can try and encode this knowledge in some cool new product,
Fundamentally, you can't. You can get some percentage into a product..
but you will never be complete.
I think of a number of these types of problems as being in the virus category..
You can't protect 100% from viruses, if you run un-audited code. Period.
You can do pretty darn well with frequently updated virus scanners... but
if you're the first one to get the new virus, you're screwed. This is a matter
of playing the odds... SOMEBODY has to get the new virus first.. chances
are, though, it won't be you. This works right up until someone doesn't like
you in particular, and write you a custom virus.
>or we
>can try and raise awareness of security, increase the demand for it and
>eventually get more security professionals. I just can't see the growth of
>the Internet giving us time to do it.
Raising awareness might be the only thing that will work. That's
a very hard thing to accomplish, though. To pick on the originator
of the topic for a moment... even security people don't want to
hear that the protocol the want to run is bad... they just
want to run DCOM.
>And yeah, I know this is a big fuzzy post which doesn't actually talk about
>anything real. I'm just laying bait. 8)
Your bait looks reasonable to me.
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
