On Thu, Feb 13, 2003 at 10:02:54AM -0500, Kent Borg wrote:
> On Thu, Feb 13, 2003 at 07:56:23AM -0600, Dave Ihnat wrote:
> > We all urgently push you to implement a firewall...any firewall...
>
> No we don't (with or without smilies), I do not advise a firewall
> unless you are trying to protect some MS Windows garbage and that is a
> losing battle you are better off not trying to fight.
> <<Rest of message elided>>
With all due respect, not only is that a very misguided attitude, it's a
dangerous one to promulgate.
No, a firewall is NOT the be-all and end-all of security; no tool
can be. Security is a mindset and a process, not a bunch of tools.
In that process, for systems exposed to the outside world--or even
within an organization with different divisions or departments that
require compartmentalization--a firewall provides a critical control
and auditing point.
Read what you said--effectively, RedHat has had to preen dozens of
packages, each and every one of which may be network-capable, written
by people with a wide disparity of skills, approaches, and experience.
At any time, you may load, upgrade, or remove components from the
system--or even make a change to the configuration alone that opens one
or more of these to intrusion. There IS no way to protect against this
in all cases--specifically, anything you've explicitly permitted to access
the world outside your firewall has to be watched--but at least inadvertent
exposure is prevented by a proper firewall.
Probably the thing that most distresses me about your attitude is
that your system is the kind that gets owned and causes ME problems.
Or maybe you're very, very vigilant and quite knowledgable, and spend
your spare time auditing the system and watching the logs, and are lucky
enough not to get owned. Even so, you're taking a more labor-intensive
and risky road, and are still more likely to have an error open you to a
cracker.
But much worse, you're telling--encouraging--evangelizing for OTHER people
to do it your way. And of all the people out there, I can guarantee
you that there are many who will NOT be able to audit their systems,
will NOT be able to button them down and *keep* them buttoned down. You're
doing us all a great disservice.
Unless, of course, you're really a cracker and are encouraging this to make
your life easier; then you're providing a service to *your* community.
--
Dave Ihnat
[EMAIL PROTECTED]
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
