Re: Firewall best practices

["Marcus J. Ranum" <mjr () ranum com>]

Harrell, Matthew wrote:
> This then allows the firewall to scan the data in the packets[...]

I have always been kind of mind-boggled that The Internet makes
abundant use of such crappy security that it's so trivially
susceptible to MITM attacks. And it boggles me further that many
technologists invest in technology for doing exactly this, given
that the expected reaction (years ago!) should have been "time
to fix SSL!" not "oh, cool! a 'secure' socket layer that is
trivially MITMable! how convenient!" If there's anything that
gives us a real indication of where security sits on the trade-off
scale between "nothing at all" and "utter crap" it's the SSL
situation. I guess that having crypto that sucks so badly that
it's breakable is easier than having to actually ask the question,
"if we are 'concerned about data leakage' why are we allowing
outbound encrypted tunnels?"

In Marcus-land the way we'd do it is have crypto that didn't
suck, and firewall rules that permitted outgoing crypto only
to (say, if online banking was an authorized activity during
office hours) a set of supported sites. Yeah, yeah, I know,
Marcus-land isn't a real place...

mjr.
--
Marcus J. Ranum         CSO, Tenable Network Security, Inc.
                        http://www.tenablesecurity.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards