[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Firedoors (fired Oors ?)
>> This is the beginning of an end to illiteracy-based security.
>>Imagine all those billions spent on firewall ("security") consultants :-))
>>It is just a matter of time before web operators start offering services based
>>on http tunnelling. With a proper mimicry there is no way to filter this out.
>The author is somewhat confused about why firewalls exist.
>They're not (usually) to keep insiders in - that's a known hard problem,
>though firewalls can sometimes be used to track what insiders send outside.
>They're to keep outside crackers out, because the damage that can
You missed the point. Declared function of firewalls is irrelevant here.
Firewall security is based on ignorance. Application level proxies are not
smart enough to do content-based filtering, therefore, if they allow some
semantics to pass through than they will allow all.
Firewalls are like white parallel stripes on the road that stop cattle
from crossing it, because there is optical resemblance to physical obstacles
that cows have experienced. Calling something "firewall" does stop only
I am not concerned about stupid attackers that are flabbergasted by words
like "firewall". I am concerned about smart ones, and the attack described is
perfectly possible. I would be surprised if it did not happen yet.
So, Confused, this is the case for strong crypto, which is the only thing that
can save corporate assets and allow for external connectivity at the same
time. Once all important services start using encryption, gaining IP access
to intranet will be benign. You get in the building, but all doors are locked.
Connectivity and content semantics are not the same, and must be managed
separately. And the only way to protect content in universally connected
environment is encryption.