Friday, April 30, 2010

firewall-wizards Digest, Vol 48, Issue 18

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Firewall best practices (ArkanoiD)
2. Re: Firewall best practices (Andre Lima)


----------------------------------------------------------------------

Message: 1
Date: Wed, 28 Apr 2010 20:56:15 +0400
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Cc: "mjr@ranum.com" <mjr@ranum.com>
Message-ID: <20100428165615.GC5208@eltex.net>
Content-Type: text/plain; charset=koi8-r

Surely the whole thing is about *policies*, not 'devices'. Yes, we knew that since the
very beginning that PKI on the internets is just a cardhouse. But we yet to see a
root CA to commit business suicide such an unusual way (and it is surely a suicide
as detection is easy and chances to do that unnoticed are pretty low).

The problem is, it doesn't necessary needs to be root CA. Just any entity with properly
signed certificate with CA basic constraints set.

On Tue, Apr 27, 2010 at 11:12:40AM -0500, Fetch, Brandon wrote:
> Too late:
> http://files.cloudprivacy.net/ssl-mitm.pdf
>
> And these devices are already in deployment...now, imagine one of these with a wildcard certificate running at a coffee house, or at the aggregation point within a provider's CO POP...
>

------------------------------

Message: 2
Date: Wed, 28 Apr 2010 20:58:29 +0100
From: Andre Lima <andreflima@gmail.com>
Subject: Re: [fw-wiz] Firewall best practices
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4BD89365.1050305@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

With all due respect to Paul and Marcus, SSL is NOT crappy! Most bugs
are implementation induced (openSSH or other less known) and the most
known SSL strip vulnerability is not a problem of SSL but rather a user
awareness issue, because if everyone payed attention to the 's' in https
on their browser, that attack wouldn't be so troublesome.

With respect to the fact that encrypted traffic does go through a
firewall with no inspection...well guess what: that means SSL is great
since it's obviously performing its task well, which is maintain privacy
of the traffic!

The issue here is mostly philosophical/political than technical. People
demanded privacy and SSL delivered. One doesn't stop using the internet
(or any other resource for that matter) just because it is also used by
"bad guys".

Bottom line: SSL rocks!!!

--
Andr? Lima
http://pt.linkedin.com/in/aflima

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 48, Issue 18
************************************************

No comments:

Post a Comment