mailing list archives
Re: The Outgoing Traffic Problem
From: Devdas Bhagat <dvb () users sourceforge net>
Date: Wed, 19 Jul 2006 23:02:39 +0530
On 18/07/06 06:24 -0400, Marcus J. Ranum wrote:
The end-game looks like: operating systems environments that
execute only white-listed executables that have been authorized
by the system owner or enterprise administrator, combined with
/me loads up a snazzy AJAX application in the browser.
"See, no application installations, no patching, everything works over
the web as long as you enable random ActiveX controls and ECMAscript".
When applications run in a VM, and the application itself can be
dynamically changed, speaking about locking the host down doesn't make
sense at all.
Web applications give you all the management benefits of centralised
applications, but none of the security benefits thereof.
They are essentially applications which run on the client, but are
downloaded every time you start the app. This is equivalent to copying
the application over every time you want to run it, but with a bit less
data transfer, since the libraries are already on the client.
a "tie connectivity to a live human" layer for originating network
traffic, unless the system is a server (in which case it will be
firewalled down to just authorized services).
ECMAScript, XMLRPC, SOAP and HTTP anyone? You only need one hole in the
dike, if the hole is big enough.
In the meantime, we'll get more emphasis on patching and
anti-badness detectors. As we've seen, anti-badness detectors
(IPS, A/V, IDS, anti-spyware, URL filtering, anti-spam) don't
really work, unless you're an anti-badness vendor. And, we can
see how well patching is working...
Schneier has written interesting stuff about the difficulty of
accurately tying a real human to a keyboard; there are signs
that the bad guys are working on how to do man in the middle
attacks against "captchas" and 2-factor authentication. For the
I thought they broke captchas a long time ago. Nothing like harnessing
the promise of naked women to get humans to do the work of bots.
Never send a machine to do a human's job.
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com