On Thu, 13 Apr 2000, Mikael Olsson wrote:
> > Just because new protocols exist *doesn't* mean you have to let them
> > through the firewall.
>
> Definately not...
>
> Except for HTTP of course. If I knew five years ago what monster HTTP would
> evolve into I think I'd have made it company policy to never _ever_ let
> it pass through the firewall in any direction. :)
HTTP has always been an evil monster, but the lusers won't go back to
gopher :(
SSL is still the descent of evil into the structure of the universe.
<US-centric humor>
Maybe we can get Judge Jackson to rule on HTTP and HTTPS next? ;)
</US-centric humor>
> > <snip>
> > The server side is the *easy* part. It's the client side where the legacy
> > of sloppyness will bite a *lot* of people.
>
> Undoubtedly. (Which by the way is why the fix for all the current FTP problems,
> IMHO, is to enforce passive mode FTP which exposes the servers but saves the
> clients.) An unmanagable amount of workstations all in the hands of ... *shudder*
> lusers, who all want to install the latest cool stuff from the hands of our
> willing glitzy multimedia paperclip-assistant-providing run-everything-over-HTTP
> vendors. It's a nightmare :P
I still happen to hold the opinion that remote display from a hardened OS
(preferably one with MAC compartments) is the best answer to all that
stuff. Preferably on an OS that doesn't allow Internet-enabled object
modules.
<pedantic>
> WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
If you put the trainling slash on the URL you'll save a round trip.
</pedantic>
</evil plot to draw even more response>
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
