On Sun, Jan 28, 2001 at 02:10:25AM +0100, Dominik Kubla wrote:
> On Sat, Jan 27, 2001 at 07:11:59PM -0500, Gregory Maxwell wrote:
> > It's this kind of ignorance that makes the internet a less secure and stable
> > place.
>
> You have obviously absolutely no idea what you are talking about. Period.
Your following comments show exactly who is has no idea of what he is
talking about. Period.
> > The network should not be a stateful device. If you need stateful
> > firewalling the only place it should be implimented is on the end node. If
> > management of that is a problem, then make an interface solve that problem
> > insted of breaking the damn network.
>
> So how do you propose to secure devices like MRT's or X-Ray scanners or
> life-support in a hospital? Nowadays this equipment is hooked to the
> internal network of the hospital and protected by really paranoid
> firewalls. Do you really want unneeded software on those devices?
Oh yes! This provides you with virtually zero extra security.
Now someone in the next room, perhaps the lobby, is free to attack the
system... Which probably has very little extra security and trusts the
network (after all, it's firewall protected).
An attack against an Xray system is much more likely to come from inside the
companies network.
The only way to have firewall protection against even a simple majority of
attacks is to implement a firewall per system. That would be expensive, and
wasteful, so it makes a lot more sense to implement a firewall IN every
system. Such a thing can be done at zero expense with practically no
performance loss and not break the end-to-end model of the Internet.
But such a simple solution would totally invalidate the use for most
security 'experts' and their products.
Firewalling is commodity. Cope. It's much more useful to push it to the
end-node where it belongs. But look where security companies make their
money.... The most common business affecting security violations are
internal. Yes, many security companies are making most of their money
selling expensive and pointless network profalatics. Why? For firewalling to
be affordable on every system, it has to be free. Thats not profitable for
security companies which is why you never hear it suggested, even though it
actually can defend against the most common threats.
The very fact that you bring up medical systems and suggest that I purposed
leaving them unsecured shows that your only avenue for discussion was
hysteria.
> Or what about the computer systems in nuclear powerplants? In air defense
> systems? Power grids? Water supply?
> Oh come on! Just reread some of the newspapers back from Dec 31 1999!
Mythology and hysteria. The same things that promotes the propagation of
network degrading central firewalls.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Wed Jan 31 2001 - 21:00:29 EST