On Tue, May 21, 2002 at 09:22:55AM +1000, Anthony Towns wrote: > On Mon, May 20, 2002 at 05:13:55PM -0400, Michael Stone wrote: > > I'm sure hurd has fundamental control: if they don't want someone > > connecting to a hurd box, they won't run any network servers. > > If you're going to take that attitude you might as well tell them to > turn the computer off. not quite. but it does suggest that the firewall isn't essential for security. > > It's also correct, from a certain point of view. </obi-wan> There is a > > school of thought that firewalls are only useful if you are trying to > > protect network services that you can't secure properly. > > Which is quite accurate. We can't secure our services properly. If we > could, we would have, and we wouldn't be wasting time worrying about > making sure we can do security updates in a timely manner. Again, if you have no faith at all in the security of your service, the only useful firewall rule is "DENY" from "ALL", which is equivalent to "don't listen". For that matter, why are you complaining about the lack of a firewall in hurd while our default install has network services without even the firewall that you use as a security blanket? (Another argument, but one I'd really like to win by woody+1.) <"security blanket" reference added for humorous effect> > > More importantly, for this school of thought, is the fact > > that firewalls offer a false sense of security. > > Actually, they offer a much *stronger* sense of security. It's easier > to say "Don't allow any traffic from this device to port 80" with a > system-wide firewalling tool and be confident that nothing's going to > get in, than to do the same thing from the application. How do you feel more confident that the firewall won't break than that a web server won't magically install itself? At any rate, the point isn't that I won't allow the use of firewalls, but that they aren't an essential element of all security models. tb overstated his point, but it shouldn't be dismissed. -- Mike Stone
Attachment:
pgpAx8Dkh88Zo.pgp
Description: PGP signature