Firewall Wizards mailing list archives

Re: Personal Firewall Day?

From: Dragos Ruiu <dr () kyx net>
Date: Tue, 7 Oct 2003 02:26:33 -0700

On October 6, 2003 01:50 pm, Marcus J. Ranum wrote:

Crispin Cowan wrote:

I submit that dumb terminals are dead & gone


I said we needed to kill general-purpose computing, not go to dumb
terminals. Why did everyone assume I was talking about dumb terminals?
Basically, I think we need to go to locked-down devices that do all the
intesting processing locally but store their interesting stuff on a
backend. There are plenty of examples of viable and excellent divisions
between front-end appliances and backend systems that allow the front-end
to be "disposable" yet still do 99.9% of the processing. AOL is a good
example, as are some of the massively multiplayer games. It should be
feasible (technically) to produce a desktop that can drive an IMAP client,
a browser, an office automation suite, HTML editor, and image editor on the
front end with remote file storage of personal data (non system info) on a
backend. None of this is rocket science. But we're addicted to general
purpose computing because we (mistakenly)
perceive a need to upgrade system components in order to save costs
over time. We also ae addicted to general purpose computing because
our software base is so buggy that we need to upgrade software
components constantly in hopes of finding something that doesn't
crash. General purpose computing also brings gigantic hidden
costs in terms of system administration and GP systems vulnerability
to trojans and viruses. Reverting to a monoculture would actually help
us address a lot of these issues.


But distributed storage and computing is much more fault tolerant than
centralized systems. Proposing putting all your eggs into one basket 
is never wise.

I can't actually believe you are sugesting a monoculture is a good thing.
I administered quite a few big Unix boxes, and MIS departments in their
empire building attempts to justify recentralizing always omit some of the
notable disadvantages to centralization like the fact that small incremental
upgrades to newer processors, oses, and software are impossible or 
difficult. You don't have to get a large capital allocation to replace the 
big box, you can buy some zippy new small boxes for key apps. And 
there are counltess others. System upgrades don't have to be massive 
all or nothing multi-year committee study efforts in a distributed 
environment... just a pain in the ass for the IT department to find
the stragglers... :-)

Moore's law killed mainframes not any addiction to software. The 
system rack next to my desk has more computing power and 
storage than all the supercomputers in the world combined back
when I used to administer such things. Tough to argue with that.

As far as vulnerability to virii, sure theoretically your alcolytes and high
priests that administer the central monolith can likely be counted to not
click on the wicked screensaver, but with that monolith architecture all 
it takes is one mess up to knock everything off line as opposed to n% of 
a distributed architecture manned by undertrained users.

Locked down devices also presumes that the locker knows better
than the users what they want to do with the device. I doubt that.
When I worked at HP we had(I believe they still use/sell it) this wonderful
innovation called Common Operating Environment. COE pretty much 
assured that if you wanted to get something done you had to abide 
by the mediocre software set available in it as opposed to the 
applications you really wanted. You could opt out, but it was an 
all or nothing deal - with considerable disincentives like inability to 
participate in any central volume purchasing discounts and substantial 
budget charges. In practice it always took longer for fixes to roll
out in the COE system than the time a knowledgeable user would
take to deploy it individually as needed, because of the substantial
additional complexity of testing it for everyone. COE software was 
perpetually one or more versions behind current. Uh, blech. 

A key disadvantange to centralized locked down systems is that
for the sake of consistency you have to hobble your knowledgeable 
users to the lowest common denominator of capabilities.

Every coin has two sides. I know which side I'll call on this issue.

cheers,
--dr

-- 
Top security experts.  Cutting edge tools, techniques and information.
Tokyo, Japan   November, 2003   http://www.pacsec.jp
pgpkey http://dragos.com/ kyxpgp
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Personal Firewall Day?, (continued)
- - Re: Personal Firewall Day? Christopher Hicks (Oct 06)
    - Re: Personal Firewall Day? Crispin Cowan (Oct 06)
    - Re: Personal Firewall Day? Marcus J. Ranum (Oct 06)
    - Re: Personal Firewall Day? Crispin Cowan (Oct 07)
    - Re: Personal Firewall Day? Gary Flynn (Oct 07)
    - Re: Personal Firewall Day? Marcus J. Ranum (Oct 07)
    - Re: Personal Firewall Day? David Lang (Oct 07)
    - Re: Personal Firewall Day? Bill Royds (Oct 11)
    - Re: Personal Firewall Day? Devdas Bhagat (Oct 11)
    - Re: Personal Firewall Day? Devdas Bhagat (Oct 07)
    - Re: Personal Firewall Day? Dragos Ruiu (Oct 07)
    - Re: Personal Firewall Day? Christopher Hicks (Oct 07)
    - Re: Personal Firewall Day? Marcus J. Ranum (Oct 07)
    - Re: Personal Firewall Day? Adam Shostack (Oct 07)
    - Re: Personal Firewall Day? R. DuFresne (Oct 07)
    - Re: Personal Firewall Day? Frank Knobbe (Oct 16)
    - Re: Personal Firewall Day? Marcus J. Ranum (Oct 07)
    - Re: OfficeTV (was: Personal Firewall Day?) Dragos Ruiu (Oct 07)
    - Re: Personal Firewall Day? David Lang (Oct 06)
    - Re: Personal Firewall Day? Adam Shostack (Oct 07)
    - Re: Personal Firewall Day? Crispin Cowan (Oct 07)

(Thread continues...)