Firewall Wizards: Re: tunnel vs open a hole

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

Re: tunnel vs open a hole

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Sun, 06 Apr 2003 21:12:13 -0400

Barney Wolff wrote:

In the good old days, the definition of "firewall" was "that which
implements your security policy" rather than "the box with that label".


Hey!!! I remember that definition!! <LOL>   .. I ought to.....

The implication of this reasoning is clear:  If you don't control the
internal tunnel endpoint(s), you don't control your security policy.


Yup. The problem is that there's so much shovelware, spyware, trojanware,
and social-engineerware that you DON'T really control the endpoints, you
just think you do. I've seen waaaay too many companies think "we have a
firewall, so we don't need to worry" - and not have antivirus software on
their interior machines because they are "safe" behind the firewall. It's
scary. :(  We made a big mistake when we started building firewalls that
allowed outgoing connections that were not individually authenticated and
associated with a human user's request.

mjr. 
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

By Date By Thread

Current thread:

Re: Application requires VPN - How are these handled?, (continued)