'Re: The Perfect Firewall'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: The Perfect Firewall
From:       "Rick" <Rick () UKSysops ! com>
Date:       1997-01-07 20:03:12
[Download RAW message or body]

Dear Sir,

I believe that the perfect firewall could, and perhaps, does exist. The
problem with almost everything in such cases, is the human aspect. Mistakes
are made, and only one such mistake has to be made for a possible security
problem to be spawned, a weakness in the armour. All thats needed then is an
attacker to come along who figures out how to utilize it.
I tend to think of it as "A firewall is only as good as the people
implementing it"

Rick

Rick@UKSysops.com

----- Original Message -----
From: Michael H. Warfield <mhw@wittsend.com>
To: mouss <usebsd@free.fr>
Cc: Michael H. Warfield <mhw@wittsend.com>; Mikael Olsson
<mikael.olsson@enternet.se>; <Firewalls@Lists.GNAC.NET>
Sent: Monday, September 04, 2000 4:54 PM
Subject: Re: The Perfect Firewall


> On Mon, Sep 04, 2000 at 06:22:18PM +0200, mouss wrote:
> > At 11:43 04/09/00 -0400, Michael H. Warfield wrote:
> > > > Ah, yes, a machine that knows how to emulate the exact state
> > > > (timings, buffer locations, buffer sizes, amount of available RAM,
> > > > all variables, et cetera) of every piece of hardware and software
that
> > > > it protects , without their original vulnerabilities, and also knows
> > > > how to protect against said vulnerabilities, without fouling up in
> > > > a single location or becoming vulnerable itself.
>
> > hey, we don't seem to have the same dictionary, no?
> > if you think that a firewall is software mummy, who watches his soft
> > children, then you're simply out of luck. nothing such that exists, and
> > it probably will never. on the other hand, firewalls do exist, and that
since
> > a long time.
>
> I think you missed the point (I hope no one was standing behind you
> because they just got slaughtered by it going over your head).  The point
> is not what a "firewall" is.  We were discussin "The Perfect Firewall".
> Do you have a definition for "The Perfect Firewall"?  My definition of
> "The Perfect Firewall" equates to a certain impossible engineering
> structure some of us called a "blivit".  Doesn't mean I don't believe
> in or use firewalls.  Just means that I do NOT trust ANY of them to
> be "perfect".
>
> [...]
>
> > are you kidding? If I set up a user database for the firewall, used to
> > grant access
> > through the firewall depending on their profile, a thing kept in the
> > database, where is
> > the risk. or are you gonna tell me that the fact the firewall accesses
its
> > config file
> > is a risk, since he might modify it? Aren't you mixing it up?
>
> If you set up a user database on a firewall, then you run a risk
> of compromise.  Ideally, if you need something like this, you should set
> up a challenge/response system with another totally autonomous system
> with all of your account information.  The firewall then never posesses
> your account information but can verify whether an account is valid or
not.
>
> > > > ri-i-i-i-ight.
>
> > if you dont' have faith, none can give it to you. so I won't try...
>
> Missing the point again...  If you depend on faith, you will
> get screwed in the end.  I don't have faith.  I make sure.
>
> > > > Now, which alien race do you propose would help us build it?
>
> > The alien peple called: intelligent, skilled, positive, helpful...
> > you may be one of them if you just throw away that cover :)
>
>
> > >         Better dig out that time machine while your at it.  I think we
> > >are going to need some future help as well.  That firewall is going to
> > >have to have that "telepathy circuit" fully functional and tested.
>
> > My friend, you are taking it the bad way...
>
> I think you totally missed the point.  Maybe I needed to add some
> more smilies in there.
>
> The point is that "The Perfect Firewall" is an oxymoron.  The
> point is that a firewall depends on too many other things such as
> security policy, users, configurations, software, services, etc, etc,
> etc.  There can be no such thing as "The Perfect Firewall" which is
> why several of us were making fun of the very idea.  Perhaps you missed
> the humor in what we were saying, or perhaps you actually believe that
> such a thing could possibly exist.
>
> In the immortal words of Foghorn Leghorn (obnoxious rooster cartoon
> character) - "It's a joke, son, a joke!"
>
> > cheers,
>
> > mouss
>
> Mike
> --
>  Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
>   (The Mad Wizard)      |  (678) 463-0932   |
http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we live in the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
>
> -
> [To unsubscribe, send mail to majordomo@lists.gnac.net with
> "unsubscribe firewalls" in the body of the message.]
>

-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic