At 2:34 PM 8/30/94, Esh, Andrew wrote:
>which are just as capable of a denial-of-service attack as any hacker is.
>Once security is obtained, further efforts to provide or restore access
>to the network are not pursued, in the name of "security". Paths to petty
>tyranny lead in many directions from this point, with the system
>administrator (and the network policy wonks behind him/her) as the prime
I suspect this depends heavily on your definition of "service." Is it a
"denial of service" if the firewall doesn't let you use the
golly-gee-wiz-neato new net toy that is currently all the rave?
It rests on the question of what the needs of the site are (which don't
always match with the wants of the user). Some sites have a strong need
for security, because the potential damage from an intruder is greater than
the potential benefit of having a open firewall that is user-friendly.
Other sites don't. If you think your site should be more open, demonstrate
the benefits of such a policy to the powers-that-be, be they managers,
provosts, or the board of directors of an organization.
>Do not misunderstand me. I am not denouncing firewalls, just their
>misuse. In fact, due to my personal (negative) experiences with them, I
>plan to become a great deal more educated in their use. My hope is to aid
>the design of better ones which provide both security AND common user
>access. I feel we must guard against the mindset that security is worth
>(even partial) denial of access. We must also guard against becoming
You are making sweeping generalizations that may not be true of places
other than your site. In some cases, security is worth limiting access,
and taking a "that which isn't explicitly allowed is disallowed" attitude.
In some cases, it isn't.
There is, of course, always the option of seeking out your own connection
to the Internet, and setting your own policy.
Bob Snyder N2KGO MIME, PGP, RIPEM mail accepted
edu PGP & RIPEM keys on key servers
When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.