On Mon, 11 Dec 2000, Roy G. Culley wrote:
> Paul D. Robertson wrote:
>
> <snipped>
>
> If I remember correctly, this thread started out with you saying
> that stateful inspection on firewalls was useless. 'active' ftp is
You don't remember correctly. I stated that the incremental gain added by
state keeping in packet filters isn't very large. I don't recall ever
saying that keeping state was useless (indeed, I remember pointing out its
use in stateless protocols.)
> a case which proves you wrong. With stateful inspection 'active' ftp
> is as secure as passive mode. Thus stateful inspection is useful
Passive mode FTP still isn't a _good_ protocol. Bad protocol versus worse
protocol still doesn't win the game, it just loses it less badly. Kind of
like dying from a sucking chest wound versus dying from a head shot-the
result is the same, it's just how you get there and how much pain is
involved. Active FTP from a proxy server is probably still better than
passive mode straight to a client, but neither of them is "good."
> when a server doesn't support passive mode (they do exist). Firewalls
> are an after thought for most organisations. The firewall policy is
> a compromise between what users had before security became important
> and the need to protect their internal network. As I said previously
Maybe _your_ policy works that way, but my policies have always been a
compromise between what the business needs to do and how well-protected
the businesses assets need to be. Taking responsibility for securing an
organization makes you automatically go into a mode where being able to
explain a security policy and justify the expense for making exceptions
more secure instead of just clicking the checkbox for "allow braindead
protocol #47 right through" is important. Thousands of users have lived
daily with my security policies, and they've been mostly happy.
> your dictatorial attitude is a main reason why other methods of over-
> coming security are becomming popular. Wasn't it Bill G himself who
No, the general trend to allow users free-reign until something is proven
harmful is why methods of overcoming security are popular. The cost
effectivness of using a single set of routines to transport everything is
why methods of overcoming security are popular, and the fact that most
places don't even have security is why it's an afterthought. The fact
that people don't hold vendors accountable for overcoming security is
probably the biggest problem. As a society, we don't generally allow
widespread marketing and adoption of things that overcome security systems
outside of this space, that's the core issue.
> said that SOAP was a necessity because of the attitude of people like
> you?
I had an MFS tech come in to install a link once (during the MSN
launch) looking for either me or Bill Gates, but we're really not that close ;)
The tunneling game was lost several years ago, and was destined to be
lost, especially at the point where packet filtering firewalls became
popular and ALGs didn't provide new proxies. I still think that Marcus
bears some responsibility for plug-gw's success, though it wasn't meant as
an excuse not to write proxies.
> Also, there is no need to send a copy of your replies to me. I am on
> the firewalls mailing list.
I've edited the headers, however- Reply to all is the easies way for me
to keep the conversation on-list. If you set reply-to, my mail client
(and I) will honor it. My client also generates unique message-ids,
should you wish to filter on them (personally, I find filtering on the To:
address to work when I need to weed things out.) For lists that don't set
reply-to by default, direct replies keep list lag out of a conversation.
I'm on a significant number of lists, and won't be able to remember to make
specific exceptions often, so I apologize in advance.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
