Marus J. Ranum posted an interesting article on the Six Dumbest Ideas in Computer Security. His article goes though many of the management fallacies that I've spent the last decade fighting against in countless consulting engagements.
Although Marcus makes some excellent points, however where he listed some "minor dumbs" he states that firewalls should always be used.
It's my experience that there could be a better way. We could decide as a group that the fundamental protocols (DNS, ARP, etc.) of the Internet should be rewritten to not be based on the assumption of implicitly trusting others. This assumption was more true in the Internet’s infancy when it was primarily a inter-college network. But in modern life, we don't trust strangers much, so why should our computers do so?
On Bruce Schneier's weblog there was an excellent discussion regarding this topic. My comments are listed under "David D" and Marcus responded, for the most part, agreeing with me.
It should be also noted that the ideas proposed here are based on recent conversations with folks at Sun and mirror concepts previously stated in Marcus's 1998 Black Hat keynote: re-code the Internet and blame it on Y2K and discussed in Abe Singer's "Security Without Firewalls" approach to distributed system security.
|