On Fri, 28 May 1999, Ben Nagy wrote:
> Is it the job of the industry to protect us from poor IT management or poor
> IT consultants? If a company takes a considered risk assessment and says
> "Well, bugger it. I have bucket loads of insurance and I _want_ to run ICQ
> to every host on my network" then isn't it the job of firewall vendors to
> let them? At the end of the day, the customer is the customer, and they need
> to make their own decisions about how stupid they want to be.
That's not true in the case of most safety equipment. For instance, you
can't be an auto maker and put substandard air bags in a car even if the
consumer wants to have the airbag feature without paying the price for
all that gold. Firewall manufacturers are *supposed* to know something
about security. The average firewall customer doesn't know anything
about security. While I'm not advocating firewall laws like there are
motorcycle helmet safety standards, seatbelt standards, and impact
protection requirments, there has to be some measure of responsibility on the
part of the manufacturer.
> Where does the problem lie? Why is it that so few people in the "real world"
> are aware of security issues, or are prepared to take them seriously?
Because (a) The Internet isn't ready for security, (b) Understanding the
issues (let alone trying to fix them) takes not just the right mindset,
but to really give assurance, a high level of technical competance that just
doesn't exist in large numbers. (c) Security is expensive. (d) It's
still an odds game, and like daytrading you can make a killing if the
odds favor you. (e) Most industries have gone from process focused to
customer focused - and the customer isn't always right *especially* when
they're your users.
> Sometimes I don't know if all of us security guys are just paranoid freaks
> or if the industry at large are starry-eyed lambs romping into the big happy
> safe Internet which is there for the good of all. Doesn't writing firewall
> software that won't let you do things because in the opinion of firewall
> vendors "that's bad" sound wrong to you guys?
No, it doesn't. If I'm Joe Unsophisticated User, and I go shopping for a
firewall to "protect" my company from the "big bad evil k-rad 'leet hax0r
dudes" and I install it and I suddenly can't use DCOM - and there's no
way to use DCOM, then my network is protected from DCOM attacks. If
there's a button that says "Allow DCOM" and suddenly every high port in
existance is immediately opened up, what value does my "firewall" have
now? That's the kind of thing vendors are shipping.
> I mean, I'm all there in terms of agreeing that too many sites are
> completely deluded about security, and I concede the very valid point that
> the new boom in firewalls for the masses has probably contributed to this. I
> think the biggest problems we have are lack of expertise - there aren't
> enough security people with a clue and lack of acceptance - nobody is
> prepared to take security seriously enough to spend some money on it. Now
Ah! But we've started to solve that problem. We spent *years* lobbying
for _firewalls_. Now *most* serious companies buy firewalls, remember
back when justifying a $60,000 single point of failure was a pain in the
butt? The problem is that businesses are trying to purchase security and
instead they're getting an increasingly less security focused product
with interfaces targeted to their clueless administrators making it easy
to give the entire farm away.
> either we can try and encode this knowledge in some cool new product, or we
> can try and raise awareness of security, increase the demand for it and
> eventually get more security professionals. I just can't see the growth of
> the Internet giving us time to do it.
*If* we blocked all the _absolute crap_ protocols all the time, the
Internet would grow with security because the protocol designers would be
forced to consider security up-front. The problem is that too many of us
are willing to compromise security in point cases. There's no long-term
strategy in the implementation side of this industry. That translates to
vendors in and outside the industry marketing on user interfaces, number
of "supported" protocols, time to market, and a bunch of other stuff that
has almost nothing to do with security.
With that trend, IDS' are the next anti-virus products, and it'll be a big,
good market for them. "Oh, you didn't have the skriptomatic attack
signature loaded, come to our Web site and get an update!"
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
