>
> gary flynn wrote in part:
>
> > The whole idea
> > behind
> > firewalls is to have tightly controlled code. It is the instability
> > and
> > poor security design of present operating systems that necessitate
> > firewalls
> > in the first place.
> >
>
> ?????????????????????????Really!!
>
> The firewall exists most commonly as a placebo to allow people who
> poorly specify, procure, implement, maintain, manage untrusted
> informtion systems, to feel comfortable and secure from the fear of
> attack via public networks.
>
> Like marriage it is a triumph of hope over experience, which doesnt
> mean it cant work for some people.
>
> That doesnt of course mean that a firewall cannot reduce risks, just
> that its a costly way of doing so in many cases and no substitute for
> implementing and running reliable information systems.
>
you're right that you can't neglect internal security even when
you have a firewall.
but all threats i know about require, in any way, help from inside.
i don't believe that users on "trusted systems" are better educated
as others, so this threat is still true with trusted systems.
of course, the attacker will firstly only have the permissions of
this user, and it may be harder for the attacker to gain higher
privileges, but even to have this reduced permissions are almost
(i think) worse enough.
>
> Even if all internal networks were well specified, procured,
> implemented and operated, there would still be a need for a guard at
> the gateways to public systems (at least for most people) because
> there would still be the potential risk of attack from outside.
>
yes, i agree.
>
> OTOH some internal networks could be traditional poor design and
> require no firewall because there was nothing worth attacking or
> protecting.
>
i really doubt this. there is, at least, the risk to lose
reputation.
another point is that you can't say "this internal host isn't
worth to protect".
if *one* internal hosts did fall, the attacker has:
- access to the internal net with the possibility to use
sniffers.
- a very fast connection to the other hosts.
- direct access to the internal DNS server.
- the hope there is a misconfiguration an another internal
host trust it.
a nightmare, i think.
>
> BTST a firewall built on an untrusted OS has itself got a number of
> exploitable vulnerabilities. As many firewalls are built in the same
> careless fashion, as the internal networks they are supposed to
> protect, it is no great surprise to find that they are largely
> ineffective in most things other than consuming corporate funding.
>
i think this is said too common.
i'm sure there are a lot of poor firewalls, however not because of
the firewall's software but because of some guys configuring it.
(those of you who are subscribed to fwall-users @
tis .
com know what
i'm speaking about, i think.)
rolf
--
-----------------------------------------
Rolf Weber <weber @
iez .
com> | All I ask is a chance
IEZ AG D-64625 Bensheim | to prove that money
++49-6251-1309-109 | can't make me happy.
References:
|
|
