Firewall Wizards mailing list archives
RE: Castles and Security (fwd)
From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Mon, 8 Jan 2001 10:36:38 -0600
<ramble> My sense of things is two fold. Firstly, if we are to build secure infrastructures, we need to use quality components. Would one build a castle out of straw. Despite bringing in another analogy, two of the three pigs built "castles" were not successful! If I decide to build an infrastructure, I should have the right to chose adequate components, and if those components are somehow certified, or legally advertising to be secure, that that should be sufficient. If I build a house and select quality bricks, and find that after the house was built the bricks were made of baked sand in stead of a concrete mixture (as advertised) as to allow anyone to enter in to my house, I could have legal recourse. The manufacture would be sued, and those who entered my house would also face legal prosecution either by my self or the state. Of all the discussions I seem to read on this, there tends to be a targeting of the attackers, or (exclusive) the manufactures. The problem are targeting I think should be reinforced at the component level. The gray area of security is that there isn't or lack of certified products that are secure. Yes, I could take NT/2000 set that up, and follow MS guidelines, and with the typical software disclaimer, I have no right in arguing that my system is safe, legally speaking. Targeting should be two pronged, at the attacker and the manufacturer. Furthermore, and this is where the open source community will benefit in the long term, that components can be analyzed and fixed, whilst products from the non-open source garage must be fixed by the vendor. One could analyze source codes, ascertain a principle idea of security based on how the code was created. This is a long winded solution, but hail the new market of certifying accounts that will audit products and grant them security levels. Arh, one may say, but we already have security certification, c2 et al. But these tend to be used on "government classed" systems, and not singular components that build the system. As we concentrate on components entity, one could include the protocols that are funneled through http. If a protocol can be used to by pass security, then it would not be granted a security license/certification. If on the other hands that it is lead to be believed that such a protocol has a clear understanding that could breech security, then it should be highlighted to the users or such a protocol. When this highlighted tag actually is seen, I am sure that administrators, security auditors and alike will be more caring as to actually review the protocol, rather than having a reactive stance and allowing it through their firewalls and then trying so fix a security hole. This will trickle down to the research laboratories, who when producing new protocols, should have security in mind. </ramble> Richard Scott BestBuy.Com * Best Buy World Headquarters 7075 Flying Cloud Drive Eden Prairie, MN 55344 USA The views expressed in this email do not represent Best Buy or any of its subsidiaries. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Castles and Security (fwd), (continued)
- RE: Castles and Security (fwd) Marcus J. Ranum (Jan 03)
- RE: Castles and Security (fwd) Harris, Tim (Jan 03)
- Re: Castles and Security (fwd) Darren Reed (Jan 03)
- RE: Castles and Security (fwd) Frank Knobbe (Jan 03)
- RE: Castles and Security (fwd) twaszak (Jan 04)
- Re: Castles and Security (fwd) jeradonah (Jan 04)
- RE: Castles and Security (fwd) Bill_Royds (Jan 04)
- Re: Castles and Security (fwd) George Capehart (Jan 05)
- Re: Castles and Security (fwd) Ryan Russell (Jan 08)
- Re: Castles and Security (fwd) George Capehart (Jan 08)
- Re: Castles and Security (fwd) George Capehart (Jan 05)
- RE: Castles and Security (fwd) Scott, Richard (Jan 08)
- RE: Castles and Security (fwd) Antonomasia (Jan 08)
- Re: Castles and Security (fwd) Darren Reed (Jan 10)
- Re: Castles and Security (fwd) Steven M. Bellovin (Jan 10)
- RE: Castles and Security (fwd) Robert Graham (Jan 12)
- RE: Castles and Security Lance Spitzner (Jan 12)
- RE: Castles and Security (fwd) Robert Graham (Jan 12)
- RE: Castles and Security (fwd) Ben . Grubin (Jan 12)