On Thu, 8 Jun 2000, Ben Nagy wrote:
> Which is obviously crazy, reading bugtraq lately.
It shouldn't take reading Bugtraq to realize this. If we've fallen into
the "it's secure until proven otherwise" debacle, we've fallen pretty
damned far.
> My soapbox? I think the industry has gone way too far with extra firewall
> features, trying to hold on to a dead architecture. VPN, content screening,
> email checking, built-in bidet....
Hey! That's _my_ soapbox dammit! ;) Don't forget the
tunnel-everything-over-HTTP piece if you're gonna step up there!
> Perimeter / choke-point security is past it - we've all been told it a
I think there's still millage there though, it just takes a back seat to
its former utility.
> million times. Host based security which is mutable according to a network /
> enterprise wide policy is the way to go from here. Having said that, I'd
Honestly, secure multi-level OS' are the ideal way to go from there,
policy doesn't stop incidents and people are going to do stupid things.
We need OS-level protections so that stupid things are in their own
sandbox and mission critical things are in a different sandbox a million
miles away, and the OS itself is in yet-another-sandbox...
> really like to see more work on good SPFs and good ALGs that don't do
> anything fancy.
IPFilter has a fairly limited creature-freep set, and it all makes sense
filtering-wise. Apache or http-gw from the toolkit work as HTTP proxies,
and aren't that bad a base to build on.
> On another note, with the work Lance has done poking at FW-1 and all the
> other commonly available firewall testing methods, shouldn't we be closer to
> a pretty-much-objective test that rate firewalls in terms of security
> against simple IP-based attacks / DoS? Someone just needs to collect all the
> bits of code and script 'em...
Nope, still too much implementation-based baggage, though we should expect
at this point in their lifecycle firewalls should hold up to the "obvious"
stuff :(
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
