[LINK] What's a reasonable level of code-checking?
Darryl (Dassa) Lynch
dassa at dhs.org
Sat Aug 19 09:19:23 AEST 2006
link-bounces at anumail0.anu.edu.au <> wrote:
|| Rick Welykochy wrote:
||| --- David Lochrin <dlochrin at d2.net.au> wrote:
|||
|||| The problem with a "locked-down purpose-built network box for
|||| connecting consumers to the big wide info-autobahn" is that we'd
|||| need a range of boxes configured for each consumer's profile of
|||| applications. This customer wants to run VoIP, that one wants to
|||| run some combination of games, and another wants an IPsec
|| tunnel to their employer. A network-box which allowed
|| everything would not be very secure.
|||
||| Is that a problem, really? Identify the top 10 protocols and usages,
||| amke them "The Requirement" and support nothing else. Supposedly,
||| the chosen protocols and usages will cover the 95% of "mom and dad
||| and kids" users out there. Forget about the rest. Leave them "as
||| they were."
||
|| Frankly, I think the mom, pa, kids, users would need more
|| protocols than the corporate road warrior.
||
|| M,P,K - smtp, pop3, im, skype, sip, rtp, irc, http, https, quake,
|| WoW, etc
||
|| RW - smtp, pop3, imap, isakmp, esp, l2tp, pptp, http, https, etc --
The more protocols available, the less secure. To be really secure, each
protocol would also be locked down to specific destinations. A stateful
firewall which would also inspect the packets for known issues would also be
required to cut down on spoofing and middle man attacks. Still not totally
secure but starting to get there. The only really secure way is to have
direct connections to the destination without devices belonging to others
anywhere in the link.
We compromise with security and cost.
Darryl (Dassa) Lynch
More information about the Link
mailing list