Re: Did anybody hear this??
On 7/27/05, Chris Kuethe <[EMAIL PROTECTED]> wrote: > On 7/26/05, Siju George <[EMAIL PROTECTED]> wrote: > > On 7/26/05, Bruno Delbono <[EMAIL PROTECTED]> wrote: > > > +++ Siju George [Tue Jul 26, 2005 at 10:18:56AM +0530]: > > > > > > > how much truth is actually in this article??? > > > > > > It makes a lot of sense and is right on. What I take out of this article > > > is > > > that having one single firewall (can be any type: network, application > > > etc.) > > > at the perimeter doesn't stop hackers. > > > > > > I don't see what really alarmed you? > > > > > > > Thanks for the reply Bruno. Just the thing whether this is the current > > trend. eliminating firewalls and going for an alternative like he > > mentioned? > > You completely missed the point. > > The point was that the "crunchy on the outside, chewy on the inside" > security model is wrong. A single perimeter firewall tends to allow > the inside network to be woefully unsecure and this is something to be > avoided. Or, put another way, the single greatest failing of a > firewall is that it allows people to continue behaving unsafely. > > Think about it: if every host you control is set up to survive contact > with an evil host, then it doesn't matter much if someone out there > tries to break in, or someone brings in a virus-laden laptop or > whatever else. So maybe the elimination of "the firewall" is a > worthwhile pursuit so long as you keep an eye toward properly bolting > down your empire. > Yes :-( Thankyou so much :-) kind regards Siju > CK > > -- > GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Did anybody hear this??
On 7/26/05, Siju George <[EMAIL PROTECTED]> wrote: > On 7/26/05, Bruno Delbono <[EMAIL PROTECTED]> wrote: > > +++ Siju George [Tue Jul 26, 2005 at 10:18:56AM +0530]: > > > > > how much truth is actually in this article??? > > > > It makes a lot of sense and is right on. What I take out of this article is > > that having one single firewall (can be any type: network, application etc.) > > at the perimeter doesn't stop hackers. > > > > I don't see what really alarmed you? > > > > Thanks for the reply Bruno. Just the thing whether this is the current > trend. eliminating firewalls and going for an alternative like he > mentioned? You completely missed the point. The point was that the "crunchy on the outside, chewy on the inside" security model is wrong. A single perimeter firewall tends to allow the inside network to be woefully unsecure and this is something to be avoided. Or, put another way, the single greatest failing of a firewall is that it allows people to continue behaving unsafely. Think about it: if every host you control is set up to survive contact with an evil host, then it doesn't matter much if someone out there tries to break in, or someone brings in a virus-laden laptop or whatever else. So maybe the elimination of "the firewall" is a worthwhile pursuit so long as you keep an eye toward properly bolting down your empire. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Did anybody hear this??
On 7/26/05, Bruno Delbono <[EMAIL PROTECTED]> wrote: > +++ Siju George [Tue Jul 26, 2005 at 10:18:56AM +0530]: > > > how much truth is actually in this article??? > > It makes a lot of sense and is right on. What I take out of this article is > that having one single firewall (can be any type: network, application etc.) > at the perimeter doesn't stop hackers. > > I don't see what really alarmed you? > Thanks for the reply Bruno. Just the thing whether this is the current trend. eliminating firewalls and going for an alternative like he mentioned? kind regards Siju >The author makes excellent points and I > agree with the him. Now SMB's might traditionally fit better with these > articles, bigger enterprises tends to differ as many roles (for the users > anyway) are well defined and access (incoming, outgoing) for internal & > external. > > -Bruno
Re: Did anybody hear this??
On Tue, Jul 26, 2005 at 11:20:35AM -0500, Terry Tyson wrote: > I only have one firewall but it is three legged, the DMZ box and the > LAN are seperate. Is this what you mean by "different (protected) > networks"? Everything depends on your particular situation and needs, but the general idea is that servers shouldn't be wide open to the clients. In your case, if that one firewall is compromised, all attached networks are exposed. This might or might not be something you should worry about. It all depends on your needs. -- Jurjen Oskam
Re: Did anybody hear this??
From: Terry Tyson [mailto:[EMAIL PROTECTED] > > Generally, that is a bad situation. So, the advice to put > different types > > of machines into different (protected) networks is good. > > I only have one firewall but it is three legged, the DMZ box and the > LAN are seperate. Is this what you mean by "different (protected) > networks"? I take it as meaning avoiding the "crunchy on the outside, chewy in the middle" architecture that only perimeter security gives you. Depending on your network and the assets and information located on the LAN, you may find that seperating services by access level gives you benefit. For example, say you have financial users, financial servers, HR users, HR servers, standard internal servers, and regular end users / trained monkey staff. Even though they are technically all on the LAN, you can protect your financial servers from the places and people on the LAN that don't need access to them by placing/protecting them such that only your financial users that DO need access to them can reach them. Ditto for the HR systems/people. As for the standard network services servers, since everybody needs to access them, you have a less restrictive policy around them. Real segmentation of the LAN works for this kind of thing, via VLANs or whatever. DS
Re: Did anybody hear this??
On Tue, Jul 26, 2005 at 03:20:05PM +0200, Jurjen Oskam wrote: snip > It does look like the "before" situation in the article is one where there > is only one firewall that separates the LAN from the Internet, and > everything on the LAN is treated equally, workstations and servers alike. > > Generally, that is a bad situation. So, the advice to put different types > of machines into different (protected) networks is good. I only have one firewall but it is three legged, the DMZ box and the LAN are seperate. Is this what you mean by "different (protected) networks"? Terry
Re: Did anybody hear this??
On Mon, Jul 25, 2005 at 10:05:32PM -0700, Bruno Delbono wrote: > > how much truth is actually in this article??? > It makes a lot of sense and is right on. What I take out of this article is > that having one single firewall (can be any type: network, application etc.) > at the perimeter doesn't stop hackers. It does look like the "before" situation in the article is one where there is only one firewall that separates the LAN from the Internet, and everything on the LAN is treated equally, workstations and servers alike. Generally, that is a bad situation. So, the advice to put different types of machines into different (protected) networks is good. Many people wouldn't go as far as entirely eliminating the outside firewall though; although he says that the desktops run "secure OSes" he also mentions Active Directory. Some would say those two terms don't go well together. :-) > I don't see what really alarmed you? The author makes excellent points and I > agree with the him. I also agree, except for the part of eliminating the externally facing firewall entirely. -- Jurjen Oskam
Re: Did anybody hear this??
Siju George said: > Hi all, > > how much truth is actually in this article??? > > http://www.securitypipeline.com/165700439 A lot. And not so much. Firewalls do nothing to verify the authenticity of packets that get through, firewalls do nothing to protect the secrecy of packets that get through. Telnet behind a firewall is still insecure to anything that is also behind the firewall, for instance. But, they *do* stop packets. The author alludes to relying on packet-stopping features of ACL-based switches, and that's not really all that different from using a firewall. And he pretends that the things firewalls do best - protect a system you can't otherwise secure - is unnecessary. Sorry, but ActiveDirectory-authenticated Windows Filesharing is still Windows Filesharing. Should you depend on your firewall? No. Use it when other solutions aren't available. Is it a valid solution for some problems? Yes. -- Matthew Weigel hacker [EMAIL PROTECTED]
Re: Did anybody hear this??
On 7/25/05, Siju George <[EMAIL PROTECTED]> wrote: > Hi all, > > how much truth is actually in this article??? > http://www.securitypipeline.com/165700439 Bla bla bla firewalls are dead bla bla bla defense in depth bla bla bla. Ultimately the good points the author makes are 1) you really should be securing everything up to the end host 2) you need to use "defense in depth". Neither of these should be a surprise to anyone here. Run pf to drop packets you don't need to see. Turn off un-needed network services. Make your daemons drop privileges they don't need. Use cryptography. Use exploit mitigation techniques. Validate input. Use APIs designed for security. Write good clean, understandable code. All of these bring a different asset to the table. If you've got a bunch of easy-to-use security technologies, why would you not use them... While the previous list assumes OpenBSD, a suitable list of hardening practices is probably available for the platform/application of your choice. CK -- GDB has a 'break' feature; why doesn't it have 'fix' too?
Re: Did anybody hear this??
+++ Siju George [Tue Jul 26, 2005 at 10:18:56AM +0530]: > how much truth is actually in this article??? It makes a lot of sense and is right on. What I take out of this article is that having one single firewall (can be any type: network, application etc.) at the perimeter doesn't stop hackers. I don't see what really alarmed you? The author makes excellent points and I agree with the him. Now SMB's might traditionally fit better with these articles, bigger enterprises tends to differ as many roles (for the users anyway) are well defined and access (incoming, outgoing) for internal & external. -Bruno
Did anybody hear this??
Hi all, how much truth is actually in this article??? http://www.securitypipeline.com/165700439 Thankyou so much Kind regards Siju