On Fri, 25 May 2001 [EMAIL PROTECTED] wrote:
> > And, yet, this can be accomplished without fully restricting
> > outgoing packets, though granted, it takes more foreknowledge and
> > dilligence then a full deny/allow some.
>
> Unless by "foreknowledge", you mean some mystical capacity to
> anticipate what new threat is going to surface next month, then I
> have to disgree with your conclusion. And if you *do* mean that,
> then I don't accept the premises that allow that conclusion.
by passing any traffic you are vulnerable to this.
>
> As far as I can see, the argument that you don't need outbound
> restrictions because you trust your users is as misplaced as the
> argument that you don't need a condom because you trust your sexual
> partner. It's not about whether you TRUST them, it's about whether
> you CARE ABOUT them (or not, as the case might be).
> This doesn't just involve trusting *your* users, but trusting
> everyone who can get some code they wrote executed on an internal
> machine. That's *at least* all the developers of OSes your users run
> on any device that plugs (or wirelesses) into the network, all the
> developers of applications your users use, all the builders of web
> pages your users ever visit, all the authors of macros in documents
> attached to email your users receive.
And becuase my users are well aware of the risks of running code without
verifying it, yes, it is a matter of the trust I place on the users.
And, its a matter of what I have passing for traffic on my network<s>.
Understand, this is not the policy I'd use to secure a large network, but,
it has been a policy I've used in maintaining smaller networks, but, as
mentioned the price is high in monitoring as well as 'advising'. YMMV...
> The exceptions -- that you claim can be allowed! -- would require,
> as far as I can see, that ALL of these people be BOTH utterly
> trustworthy and virtually omniscient. I find it difficult to believe
> that there exist useful numbers of members of the intersection set.
> Convincing me otherwise will require a bit more evidence than a
> general dig at "point and clickers" -- it has been 20 years or more
> since I last knew anyone who thoroughly knew every nuance of every
> program on their favourite box.
You must be stuck with extremely untechnical persons on all the networks
you've had to work on in those years. But, do tell, when was the lasttime
you worked in a one-size-fits-all world?
Thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
