Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [Dailydave] This just in: Firewalls are obsolete
From: Gadi Evron (gelinuxbox.org)
Date: Mon Jul 11 2005 - 18:40:52 CDT
Florian Weimer wrote:
> * Gadi Evron:
>>I am getting rather tired of "everything over port 80" and calling
>>everything a firewall this or firewall that.
> I find it rather instructive to keep in mind that languages like PHP
> are widely used to implement firewall components. Unfortunately, most
> PHP developers wouldn't agree. 8->
Erm.. if we go for annoying things..
I find it rather annoying that every bit of software out there today
demands to be allowed to communicate with its "home base". Can't updates
be done differently this advanced day and age?
There's an entire market about to evolve, of machines very similar to
MS's SUS server (now a different name) which would relay patches from
outside servers to inside servers and then the end machines. The patches
are still the same as when they entered the so-called "secure" tunnel,
but they went through a few hoops along the way.
Which brings us to another major issue some of us try and solve.. and
that never ends.
The only way you have, eventually, to secure any communication coming
from the outside is by receiving it first.
If for example you want to verify a certificate, you'd have to.. erm..
You can use web services, kerberos, etc. but eventually the machine
people connect to is still potentially vulnerable, and the next machine
down the line is vulnerable to it all the way to your CA, DB, LDAP
server or whatever else.
Only way you can protect it right now is by adding another and yet
another hop along the way, which is silly.
I am exaggerating.. but these problems persist and yet nowadays, with
all our advanced technology.. we still can't really identify a computer
without being potentially vulnerable to replay attacks, certificates
being stolen, data being forged, etc. Can you think up of any way to be
really sure, with knowledge which is not secret and therefore relies on
obscurity or a real security guard, that the computer you are talking to
really is that computer?
One might say the same applies to a person, but you can be *reasonably*
sure you are talking to Jack Black when he shows you his certificate and
passes another test to show he knows the code, as an example.
Dailydave mailing list