Dailydave mailing list archives
Re: This just in: Firewalls are obsolete
From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 12 Jul 2005 01:59:01 +0200
* Gadi Evron:
Let's try and not confuse things though - If you do use two (or more) products, it is true you are now vulnerable with both of them. However, you are also now more secure in the event one fails. If the two "whatevers" are of the same type, the likelihood of the second fallowing the first and.. dying (if you're lucky) is extremely high (or more so than with two of different types).
I strongly believe that vulnerabilities in firewall and application software are not statistically independent. (Obviously, I don't have hard data because disclosure in this area is certainly not industry standard practice.) But since roughly the same people write both kinds of software, using similar tools, and similar development constraints, I can't believe that the outcome is that much different. Most vendors even reuse code from their applications in their security products.
However, there is one problem that we face which really scares me, and that is the menace of having a monoculture. One bug, and we're all dead. One bad patch, and we're all dead.
*shrug* In an attempt to aid diversification of client operating systems, we have built a new web-based monoculture. Look at how popular browsers deal with cross-site requests. All your perimeter defenses are worthless if you connect everything inside one application, the web browser. And guess what? Nothing has happened. This issue has been known for at least five years. It's even documented in some RFC (not the monoculture part, but the cross-site aspect.) _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- This just in: Firewalls are obsolete Jonatan B (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete I)ruid (Jul 12)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete byte_jump (Jul 12)