-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I love these discussions. As Michael pointed out, it's great that we
have a forum like this to discuss these issues. It's also great that we
have so many smart people with different perspectives. However, let me
just remind everyone that we're all on the same side here. SNS is
trying very hard to do the impossible. A large open campus network is
extremely difficult to get a handle on in term of security. To make any
headway at all we *really* need everyone's cooperation.
Just to be clear, putting holes in any firewalls is *not* mandatory. It
is highly recommended and it is perfectly appropriate for campus
provided software to be configured as such by default.
Believe me when I say that I understand the temptation not to trust
anyone and button up your systems as tight as you can. Paranoia is very
common in infosec circles. But, that doesn't make it always a good
practice.
It's not that hard, especially if you gloss over important technical
details, to think that a firewall with a small hole (like the one we're
discussing) is less secure than one without such a hole. But, the fact
is that all firewalls have *big* holes in them. This is why we use
firewalls instead of wire cutters. Firewalls let packets through and
crackers do get past them in ways that our scanners don't. The holes
for SNS scanners simply do *not* significantly impact the effectiveness
of a firewall or the security of the systems behind it.
SNS has the ability to do some very sophisticated analysis of the
systems on our network. This is a good thing that is generally
appreciated by sysadmins and users who don't have the ability to do that
analysis themselves. Putting a system behind a firewall that blocks our
scanners only serves to make everyone's job that much more difficult.
SNS cannot properly assess the security of a system based on the
firewall in front of it. That means sysadmins and users behind such
firewalls are on their own and, to be effective, they'll need to
duplicate all of SNS's efforts. As much as I respect everyone who has
been participating in this discussion, I can assure you that you can't
do this as effectively without the tools, expertise, and campus-wide
perspective that SNS has. SNS can help. Buy we need cooperation.
The bottom line is that these firewall holes are not a significant
security threat. But, vulnerable and compromised systems that SNS can't
see are a very significant security threat.
Craig Lant
Campus Information Systems Security Officer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCggoY0utcLN0BLdARAtKiAJ4sWvnEUDtWLFBJTZtU5LHUmD0QrgCfahMK
e9tEwydVjOjBpHSUZDX5Cx8=
=2FK/
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Wed May 11 06:39:59 2005
This archive was generated by hypermail 2.1.8 : Wed May 11 2005 - 06:40:00 PDT