Comments (formatted badly) inline 8b
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct Dial: (08) 8422 8319 Mobile: (0414) 411 520
-----Original Message-----
From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
Sent: Saturday, May 29, 1999 9:53 PM
To: Ben Nagy
Cc: [EMAIL PROTECTED]
Subject: Re: Actually RE: Firewall Philosophy (was Re: DCOM on
Gauntlet)
On Fri, 28 May 1999, Ben Nagy wrote:
> Is it the job of the industry to protect us from poor IT management or
poor
> IT consultants? At the end of the day, the customer is the customer, and
they need
> to make their own decisions about how stupid they want to be.
That's not true in the case of most safety equipment. For instance, you
can't be an auto maker and put substandard air bags in a car even if the
consumer wants to have the airbag feature without paying the price for
all that gold. Firewall manufacturers are *supposed* to know something
about security. The average firewall customer doesn't know anything
about security. While I'm not advocating firewall laws like there are
motorcycle helmet safety standards, seatbelt standards, and impact
protection requirments, there has to be some measure of responsibility on
the
part of the manufacturer.
There are clearly two schools of thought here. Just because I like
arguments, I'll plough on 8). The reason I don't like FW manufacturers
making decision about what firewalls allow and what they don't is because
fundamentally I don't believe that they have the best interest of my
(customers') business at hand. I know that you're advocating that vendors
make decisions to _increase_ security without giving users an option, but I
don't think that's their place. If I develop some fancy proxy that I think
santises an insane protocol, I'll be pretty pissed off if I can't get it
through my firewall. Not to mention the fact that engineering out the
possibility of making your firewall "insecure" is probably going to make it
so inflexible as to be useless. I'm all in favour of the vendors shipping a
secure out of the box config, and I would consider it irresponsible of them
not to. However if an "advanced" user can't screw things up and get
themselves in trouble there is something wrong.
> Where does the problem lie? Why is it that so few people in the "real
world"
> are aware of security issues, or are prepared to take them seriously?
Because (a) The Internet isn't ready for security, (b) Understanding the
issues (let alone trying to fix them) takes not just the right mindset,
but to really give assurance, a high level of technical competance that just
doesn't exist in large numbers. (c) Security is expensive. (d) It's
still an odds game, and like daytrading you can make a killing if the
odds favor you. (e) Most industries have gone from process focused to
customer focused - and the customer isn't always right *especially* when
they're your users.
Rehtorical Question. Sound Answer. ;)
> I mean, I'm all there in terms of agreeing that too many sites are
> completely deluded about security, and I concede the very valid point that
> the new boom in firewalls for the masses has probably contributed to this.
I
> think the biggest problems we have are lack of expertise - there aren't
> enough security people with a clue and lack of acceptance - nobody is
> prepared to take security seriously enough to spend some money on it. Now
Ah! But we've started to solve that problem. We spent *years* lobbying
for _firewalls_. Now *most* serious companies buy firewalls, remember
back when justifying a $60,000 single point of failure was a pain in the
butt? The problem is that businesses are trying to purchase security and
instead they're getting an increasingly less security focused product
with interfaces targeted to their clueless administrators making it easy
to give the entire farm away.
So are you saying we solve this by having vendors write firewalls that are
less flexible instead of having more skilled administrators? Firewall
companies aren't big brothers! They aren't bound by law to provide a product
that cannot be subverted by an clueless administrator (thankfully), and at
the end of the day, they exist to make money for their shareholders by
selling more firewalls. Besides all that, I don't _want_ some arbitrary
company telling me that if I buy their firewall I cannot allow ports x - y
or protocol z or whatever.
> either we can try and encode this knowledge in some cool new product, or
we
> can try and raise awareness of security, increase the demand for it and
> eventually get more security professionals. I just can't see the growth of
> the Internet giving us time to do it.
*If* we blocked all the _absolute crap_ protocols all the time, the
Internet would grow with security because the protocol designers would be
forced to consider security up-front. The problem is that too many of us
are willing to compromise security in point cases. There's no long-term
strategy in the implementation side of this industry. That translates to
vendors in and outside the industry marketing on user interfaces, number
of "supported" protocols, time to market, and a bunch of other stuff that
has almost nothing to do with security.
Hear hear. IMO we need (apart from better admins) better protocol design,
not better firewalls.
With that trend, IDS' are the next anti-virus products, and it'll be a big,
good market for them. "Oh, you didn't have the skriptomatic attack
signature loaded, come to our Web site and get an update!"
IDS - the firewall version of reaching for the condom while smoking the
cigarette. Yay. Not that I'm disputing it's a growth market.
Paul
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
