Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: A fun smackdown...
From: Chuck Swiger <chuck () codefab com>
Date: Sat, 21 May 2005 11:48:37 -0400
On May 20, 2005, at 9:57 PM, Marcus J. Ranum wrote:

Chuck Swiger wrote:
You are disagreeing with a design principle from the RFC's which discusses how to create robust software protocols. 

The RFCs often used to contain the phrase "this RFC does not address
security." Is that one of those great design principles the IETF uses 
to create "robust software protocols"??
Sometimes, yes. I'd rather see an explicit statement that says, "this is not a secure protocol", then use something which pretends to be secure, yet is not.
The older RFCs-- before 2000 or so-- were a lot more concerned with defining standards for interoperability than for security. Newer RFC's tend to show a lot more concern for security. 


The RFC process creates interoperable *CRAP*.
Let's accept this as true for a moment. Can you point to something better? 

What about the ISO model, the X.400 & X.500 schemas, and ASN.1?
How well has BER, SNMP, SSL certs, and all of that done in practice for security?
Or how about the security vendors, who break standards to create proprietary, non-interoperable crap? What's the current status of VRRP? Is that an open standard, free for all to use, or is it encumbered? 


[ ... ]
The RFCs are written by well-intentioned amateurs who never gave
a rat's a&& for security, and the resulting Internet reflects it.
Not always. There are people, even on this list, who could learn something from: 

http://www.ietf.org/rfc/rfc2196.txt

   As an aside, building a "home grown" firewall requires a significant
   amount of skill and knowledge of TCP/IP.  It should not be trivially
   attempted because a perceived sense of security is worse in the long
   run than knowing that there is no security.  As with all security
   measures, it is important to decide on the threat, the value of the
   assets to be protected, and the costs to implement security.
Give that RFC a fair read, Marcus, and then see whether you still agree with your own generalization above. 

--
-Chuck

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]