Nicole Zimmerman <colby@wsu.edu> wrote: > > Turning off services makes an excuse for the real problem -- software > needs to be secure, and people need to make sure they are using software > that is secure. There's no such thing as absolute security. Every service you run will have bugs and security vulnerabilities in it. There's no way to get around that. Since we've established that there's no such thing as secure software, it follows that every service you run presents a security risk. If you don't need the service, there's no need to take the risk. > Firewalling services makes the same excuse. "I don't care if my software > is secure because I have a firewall!" ... what happens if your firewall > gets penetrated? What happens if some local user (hard) reboots your box > because they want it to run an NFS server? Firewalling services is useful if you have more than one access policy for your services: People from network A need access, so we'll make that easy. People from network B do not, so we'll make that difficult with the intent that the difficulty tends towards impossible. Firewalls are also a simple way to add an extra layer of security to your services. Each extra layer you add should reduce risk in some way. > If you have secure software, you don't really have to worry about running > those services, do you? See above about there being no such thing as absolute security. See above about unnecessary risk. Also see above about layers of security, and think of the OFF button as just another layer that's fast, easy and very cheap to implement, as well as being very effective. -- Sam Couter | Internet Engineer | http://www.topic.com.au/ sam@topic.com.au | tSA Consulting | OpenPGP key ID: DE89C75C, available on key servers OpenPGP fingerprint: A46B 9BB5 3148 7BEA 1F05 5BD5 8530 03AE DE89 C75C
Attachment:
pgpNzdSZ82NGv.pgp
Description: PGP signature