Firewalls: Re: [NTSEC] ActiveX, MSIE and Quicken

Firewalls
(February 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: [NTSEC] ActiveX, MSIE and Quicken
From:	Bob Beck <beck @ obtuse . com>
Date:	Sun, 2 Feb 1997 14:58:52 -0700 (MST)
To:	peter @ baileynm . com (Peter da Silva)
Cc:	Russ . Cooper @ RC . on . ca, firewalls @ GreatCircle . COM
In-reply-to:	<9702021918 . AA10062 @ sonic . nmti . com . nmti . com> from "Peter da Silva" at Feb 2, 97 01:18:17 pm

	Banning ActiveX at the firewall is hardly taking away the MS
desktops. It's still viable inside the firewall as long as you're
talking about a relatively trusted environment. If you aren't talking
about a relatively trusted environment inside you probably shouldn't
be running an MS desktop anyway.

> > But if you think you can say that ActiveX is bad so take it way, you'll
> > have to tell them to take away all your MS desktops as well.
> 
> Love to, but that won't happen. That's like trying to fireproof your
> office by banning paper.
> 
	Not all that inconcievable.  There are perfectly viable
alternatives to an MS desktop for anyone who feels like using
them. It's also possible to put them on another net by themselves with
a seperate firewall and security policy. You can even run them fairly
open, with the security policy that sensitive stuff doesn't go on the
open net. I.E. network A is the low security network where the users
are allowed to sysadmin their own desktops. Network B is the high
security network where that isn't allowed, and the permitted OS's are
mandated. Network B doesn't trust network A any more than it trusts
the internet. Not foolproof in the slightest, but draws a better
boundary for the users as to what is important.

	
> > I'm sure
> > many of you have been saying that for a while now, but the facts are in
> > front of the majority of you and can be seen just by looking around your
> > office.
> 
> Yep. And those facts say that the desktop will be completely unable to
> provide any useful security for the forseeable future.
> 

	Microsoft's desktop will always be completely unable to
provide any useful security for the exact same reasons as we've seen
for years and years with Sendmail. It's big, bloated and constantly
afflicted with creeping featuritism. It's not *designed* to provide
useful security, it's designed to work well as a desktop environment
that can sell. period, Just as Sendmail is a MTA first and security
somewhere not first. (This isn't always a bad thing if your first and
formost requirement is a powerful MTA) Security can be addressed for
99% of it's users by a few glossies with the words "Hacker" "Internet"
and "C2" jumbled in the the rest of the marketing hype, since the odds
are they'll never get seriously hit even if they ran a fully unsecured
box.

	-Bob
--
Bob Beck					 Obtuse Systems Corporation
beck @
 obtuse .
 com					 http://www.obtuse.com/	
True Evil hides its real intentions in its street address. Search and you
shall find it, and the truth shall set you free.

Follow-Ups:

Re: [NTSEC] ActiveX, MSIE and Quicken
From: peter @ baileynm . com (Peter da Silva)

References:

Re: [NTSEC] ActiveX, MSIE and Quicken
From: peter @ baileynm . com (Peter da Silva)

Indexed By Date	Previous:	Optimal Throughput for NAT From: Chris Pressley <chrisp @ tidalwave . net>
Indexed By Date	Next:	Re: Optimal Throughput for NAT From: mch @ squirrel . com (Mark Henderson)
Indexed By Thread	Previous:	Re: [NTSEC] ActiveX, MSIE and Quicken From: peter @ baileynm . com (Peter da Silva)
Indexed By Thread	Next:	Re: [NTSEC] ActiveX, MSIE and Quicken From: peter @ baileynm . com (Peter da Silva)