Quote:
Originally posted here by catch
I stated fact. Firewalls are intended for X|Y if neither X|Y are true, the firewall is not called for.
That may be your opinion, but firewalls have many more functions than the black and white situations your present.
Quote:
Where did I say this?
All through your posts. Intrusions are acceptable if the value of the data is outweighed by the cost of protecting it. That may be suitable for governments, but perhaps not everyone else holds their data to such low standards.
Quote:
You view my solution as a lack of protection merely because it is not a type of protection to agree with or understand, it is still protection.
No, I fail to see how it fits within any modern commonly-accepted home computer security model. I invite you to examine the two linked SANS documents in the previous post. Even if you find SANS to be a complete joke, you should at least do the courtesy of actually researching the material I present, as I have done for you.
Quote:
My intent would be to have the original poster have the highest security, usable system... do you think they'll get there by listening to me or by installing Zone Alarm?
And yet you continue to dodge providing me a tangible reference to the examination of how a firewall decreases the security of the overall system in a practical sense. If theoretically you are correct, it should be trivial to provide numerous examples of it, should it not?
Quote:
All that can be done is provide a framework, depending on how forceful that frame work is and or the cooperation of the system custodian controls the rest.
Exactly. In such a situation, you would not value increasing the security, due to some theoretical clash of your view of how a firewall *should* be used?
Quote:
First, the firewall deals with the security of the network, however if there is no network between the firewall and the systems it is securing, well than what is it securing?
Actually, that is but one type of firewall.
Wikipedia: Personal Firewall:
Quote:
A personal firewall is traditionally a piece of software installed on an end-user's PC which controls communications to and from the user's PC, permitting or denying communications based on a Security Policy.
A personal firewall differs from a conventional firewall in that there is no separation between the firewall software on the user's PC and the user's application software. A personal firewall will not usually protect any more than the one PC it is connected to, unless other PCs are sharing Internet connectivity via the protected PC.
Another distinction from conventional firewall software/devices is that personal firewalls are able to control communications using methods such as prompting the user each time a connection is attempted, and 'learning' from the responses, to determine what Internet traffic a user would like to permit to/from their PC.
This software may also provide some level of intrusion detection, allowing the software to terminate or block connectivity where it suspects an intrusion is being attempted.
Simply because this clashes with your view of what a "firewall" is, doesn't invalidate its use, nor does it decrease the security of the system. Show me the various exploits you have applied to various versions of personal firewall software. If you are going to make claims that it in fact decreases the security of the system, then back them up with hard evidence.
Quote:
Second I stated: "Adding to the complexity of ANY system without altering it's security functionality (and even then if this functionality falls outside of the reference monitor) makes the system less secure." Clearly a firewall is outside of the systems reference monitor.
Actually, considering your view of a firewall, that may be the case, but as I stated above, your view is not the only view.
Quote:
Not at all, suggesting a different counter-measure is a part of risk mitigation, which falls under the risk portion of computer security. Policy development deals classifying and implementing the selected counter-measure from risk management. Security Policy has nothing to do with choosing between two types of counter-measures.
Of course it doesn't. That isn't the issue here. The issue is your statements that have yet to be validated in any manner.
Quote:
How do you know it isn't? have you ever looked into it? Either way, it still holds valid. IS security is just logical math, rules apply. Extremes are easier to prove, if you cannot find a paradox in the extreme, then you can't find one in the subtle where things get murkier.
Practical and theoretical are not always the same. Again, back up the statements regarding the security of a home system being adversely compromised by installing a personaly firewall with hard evidence.
Quote:
Yes, because most people are lazy and uneducated. It's "wisdom" cause it kinda sorta works, otherwise it'd be called "knowledge."
I don't see what this has to do with the section you quoted. Such wisdom is no less valid simply because the user doesn't obtain it from firsthand experience. Or are you advocating that everyone spend the sum of their lives doing nothing but ensuring humanity actually has things right in all areas?
Quote:
We discussed this before as well about hardened systems by default. The system in question will not be hardened in anyway, in fact it will be significantly weakened (remeber what I said about using extremes as they are easier to prove?)
I don't quite understand what that would gain anyone. The box will be infected with one of a dozen viruses within a matter of moments of it being put online. What point are you trying to prove exactly?
Quote:
I will offer a windows 2000 http/ftp server with the following:
1. The ftp root will be world writable and contained within the http root for simpler execution.
2. All anon access for the IIS user will be via SID:500
3. The admin account policy will not be altered in anyway
4. IIS will be in default installation
All this will prove is that default installs aren't secure on Windows 2000.
Quote:
You will be free to upload any malicious scripts that you feel like, any trojans, cmd.exe if you like so you can have a command line.
All you need to do is deface the homepage, which will be owned by and have full control by SID:500.
Does this sound fair to you?
Quote:
If I win and the system cannot be compromised in 96 hours, I never get attacked again for my advice by anyone who attempts in addition to a public apology.
If I lose, I will admit that I was wrong, apologize in public and not return to this site.
Deal? ;)
No deal under those conditions, I am not seeking anyone apologize, or leave a site or anything here. You threatened to do that once before, I see no point in continuing this melodrama. If I were to do this at all it would be for research purposes.
I am continuing this discussion because I am intrigued in the answers you have to various questions. If you can keep on track, maybe people here will learn something concrete about firewalls, or, this will go down in the AO archives as just another argument that was never satisfactorily resolved.