On Fri, Jan 07, 2005 at 06:52:18AM -0500, stan wrote: > While you are certainly correct about at least one of the "insied" machines > being comprimised, security is best done as a "defence iin depth" aproach, > and a firewall is a significant part of such a desing.
Actually, almost all the security experts I know would disagree with that. There's nothing wrong with having a firewall as a backup line of defense, particularly against mistakes by the operators of individual machines behind the firewall -- as they will make mistakes, and install insecure server apps and so on -- but it should not be a significant part of your strategy. Under the modern philosophy of a secured network, the design goal is that every machine should be capable of being exposed to the open internet safely. That's because, at one point or another, your firewall will be compromised, and so all your machines will be as they were on the open internet to that attacker. It's a question of when, not if. (Firewalls are something that security consultants and companies sold because they had to do _something_ about how blatantly insecure most systems were, particularly windows boxes.) That's the goal. We don't always attain our goals, and ordinary users and even experienced sysadmins are always making errors, so a firewall is the backup defence against those errors. But you would never want to design a security protocol which depends on the firewall for its security. Well, almost never. You might do it if what you were protecting was not ever going to be important, and the UI gains you made from this approach were powerful enough to justify it. For example, I have been considering a protocol for IP based speakers. I could see IP speakers being configured to accept sound streams from anybody on their subnet. This is acceptable because the worst that could happen is that intruders could play rude sounds on your speakers and wake you up in the middle of the night. Annoying, but no damage done to data. The gain in convenience of not having to do anything to configure this mode is worth it. And so this philosphy might apply as well to IP video components. However, with Myth, the attacker can: a) Erase or change all your videos, preferences and schedules -- all data b) Get complete logs of all your viewing habits c) Possibly corrupt or destroy other databases if your sql server is not well secured. This is more serious, and worthy of some minor UI inconvenience. As noted, done properly, this can amount to no more than entering a password once when configuring a new device. This is not a big whoop, it's much harder when you have to consider devices that have no keyboards or screens in order to let you enter passwords or have UIs!
_______________________________________________ mythtv-users mailing list mythtv-users@mythtv.org http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-users