>
> There is no way to build a secure environment on top of an unsecure
> environment. That is similar to adding quality into a product after it
> is produced. It must be built in from the bottom.
>
> The OS *IS* the firewall, if you want it to work. Of course, it all depends
> upon what you mean by a "firewall." Is a firewall supposed to reduce the risk
> of attack to your system? If so, then the wise will look at the real
> statistics of risk. Only 10% of actual security incidents are done by
> outsiders. 90% are done by insiders (75% by administrators). (Sprint says
> up to 95% are due to insiders, and Citibank MEASURED 87% done by insiders
> in 1994.)
>
> So, if a firewall that only protects you against outsiders works perfectly,
> you might reduce your risk by 10%. Won't you feel nice and warm and fuzzy!?
yes, i feel :-)
if the firewall is properly configured, even insiders can't break the
firewall's security.
>
> Another problem with firewalls being an application is that the firewall
> then does not really provide much protection for WWW sites. Since you
> can't trust the WWW software to run on the firewall (because you can't
> trust the OS), you must either put the WWW server inside of or outside of
> the firewall. If it is outside, then there is no protection for the WWW
> server (and I am certain that we all know of the home pages that have been
> altered by hackers). If the WWW server is on the inside, then you must
> open a hole for anonymous users in the firewall, thus greatly reducing or
> eliminating any security it might have afforded you.
how could a firewall protect a WWW server? impossible!
the only 'secure' solution is to place it outside and insure this host as
good as possible.
>
> Bottom line is that the firewall is COMPLETELY dependent upon the security
> provided by the OS for its own security - The firewall can be no more
> secure. If I can break into the OS, the firewall is mine to mangle. More
> on thsi below.
>
> [snip]
>
> Jon F. Spencer spencerj @
rtp .
dg .
com (uunet!rtp.dg.com!spencerj)
> Data General Corp. Phone : (919)248-6246
> 62 T.W. Alexander Dr, MS #119 FAX : (919)248-6108
> Research Triangle Park, NC 27709 Office RTP 121/9
>
on a typical firewall, there only runs:
-the kernel, i never heard of any breakin with the help of a kernel bug
-a few harmless services such as inetd
-the firewall software, often known, sometimes proven to be good
i trust this stuff, but not the configuration of the firewall, even not mine.
if you want a better security as such one, it's surely *not* your OS, it's
simply not to connect at all.
i don't know if your OS is more or less secure as mine. but, IMHO, it doesn't
matter. human failure, that's the point you have to take care.
rolf
--
-----------------------------------------
Rolf Weber <weber @
iez .
com> | All I ask is a chance
IEZ AG D-64625 Bensheim | to prove that money
++49-6251-1309-113 | can't make me happy.
Follow-Ups:
References:
|
|
