Firewall Wizards mailing list archives
Re: Firewall best practices
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 27 Apr 2010 15:31:47 -0400
Harrell, Matthew wrote:
This then allows the firewall to scan the data in the packets[...]
I have always been kind of mind-boggled that The Internet makes abundant use of such crappy security that it's so trivially susceptible to MITM attacks. And it boggles me further that many technologists invest in technology for doing exactly this, given that the expected reaction (years ago!) should have been "time to fix SSL!" not "oh, cool! a 'secure' socket layer that is trivially MITMable! how convenient!" If there's anything that gives us a real indication of where security sits on the trade-off scale between "nothing at all" and "utter crap" it's the SSL situation. I guess that having crypto that sucks so badly that it's breakable is easier than having to actually ask the question, "if we are 'concerned about data leakage' why are we allowing outbound encrypted tunnels?" In Marcus-land the way we'd do it is have crypto that didn't suck, and firewall rules that permitted outgoing crypto only to (say, if online banking was an authorized activity during office hours) a set of supported sites. Yeah, yeah, I know, Marcus-land isn't a real place... mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall best practices, (continued)
- Re: Firewall best practices Darden, Patrick S. (Apr 22)
- Re: Firewall best practices Martin Barry (Apr 22)
- Re: Firewall best practices Marcus J. Ranum (Apr 22)
- Re: Firewall best practices Martin Barry (Apr 23)
- Re: Firewall best practices Marcus J. Ranum (Apr 26)
- Re: Firewall best practices Carson Gaspar (Apr 27)
- Re: Firewall best practices ArkanoiD (Apr 28)
- Re: Firewall best practices david (Apr 26)
- Re: Firewall best practices John Morrison (Apr 27)
- Re: Firewall best practices Harrell, Matthew (Apr 27)
- Re: Firewall best practices Marcus J. Ranum (Apr 27)
- Re: Firewall best practices Paul D. Robertson (Apr 27)
- Re: Firewall best practices ArkanoiD (Apr 30)
- Re: Firewall best practices Andre Lima (Apr 30)
- Re: Firewall best practices Dave Piscitello (Apr 28)
- Re: Firewall best practices ArkanoiD (Apr 28)
- Re: Firewall best practices Nate Itkin (Apr 27)
- Re: Firewall best practices Dave Piscitello (Apr 27)
- Re: Firewall best practices Carson Gaspar (Apr 27)
- Re: Firewall best practices Fetch, Brandon (Apr 27)
- Re: Firewall best practices lordchariot (Apr 28)