This is a discussion on Re: [fw-wiz] How automate firewall tests - Firewalls ; "Marcus J. Ranum" wrote: [snip] > If you want to > look at things from my (admittedly weird) perspective, the current fondness > for "patch your software constantly" is proof positive that packet-based > firewalls don't (and never did) work ...
"Marcus J. Ranum"
> If you want to
> look at things from my (admittedly weird) perspective, the current fondness
> for "patch your software constantly" is proof positive that packet-based
> firewalls don't (and never did) work except for at a very gross level.
That's not "weird" by any stretch of the imagination. It may be
"unpopular." It may not be "mainstream." But weird it ain't. It's
just intelligent, educated and honest. Problem is: People (read: PHBs,
mainly) don't want intelligent, educated and honest. They want their
latest whiz-bang crosses-the-boundary-between-internal-secure-and-
external-unsafe application to just work and don't bother me with the
details thankyouverymuch. Never mind the ISPs that knowingly give
electronic Petri dishes direct connectivity to the 'net, without even a
modicum of blocking/filtering/what-have-you.
This is complicated by Certain Vendors who proclaim that sophisticated
computing environments can be capably managed by somebody who's taken a
short course or read a few books, and a point-n-drool GUI.
The results are predictable. Virus'/worms/Trojans run amok. Email
delivery is unreliable. Major corporations regularly find their
internal network paralyzed. And on and on.
Oddly enough: The people "victimized" by all this exhibit all the signs
of insanity: They keep doing the same thing and expecting different
You're not "weird," Marcus. It's the rest of 'em that're weird. I'm
reminded of this:
"If fifty million people say a stupid thing,
it is still a stupid thing." - Anatole France
firewall-wizards mailing list