On Fri, 5 Apr 2002, Mikael Olsson wrote: > > Notice that the problem for many sysadmins is too much security > > ... or low IQ^H^H^H^H^H^H lack of security training, but maybe > most of all because of interference from a company manglement that > needs to be taken out back and shot taken together with broken > networked applications whose authors also need to be taken out > back and shot.
If we shoot all the lusers, the problem resolves itself ;) > But then again, this is a problem with firewall installations in > general, not a real differentiator between proxies/state trackers. Not just firewalls... > Any equipment under the control of lusers needs to be put on > a short leash. A bit of layer 7 inspection can work wonders > here, f.i. by blocking java/activex/whatnot and disallowing > untrusted applications using a common network protocol > (read: internet explorer using HTTP). There's an interesting counter-argument that entails giving up trying to control what the lusers do. Give them AV, give them a desktop protection product, and make them gateway in to the corporate resources, or give them "remote display" access only (Citrix, Terminal Server, Xwindows...) That puts security back in the administrative realm where it's at least somewhat manageable. > But then again, the everyday admin wants to run so darn many > protocols, and so insecure apps, that I'm unsure that a It's not the admin that wants that stuff, it's the admin that has to enable that stuff, and when it's a checkbox with no consistancy of inspection or tracking it doesn't matter which type of firewall you have. There are enough bad examples on all sides. > I'm tempted to do my rant about running security software on > general-purpose operating systems here, but I'll spare you :) > (And besides, I'm biased.) The companion rant is about trying to do security on general-purpose OSen. But that battle is either lost or yet to be fought well- depending on your level of optimism. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
