Reply to thread

Message

Re: FIX for ZoneAlarm & KB951748 issue released

Harry Johnston [MVP] wrote:
> John John (MVP) wrote:
>
>> You constantly shift the discussion from the value of proper egress
>> filtering to software firewalls, even though I have said right from
>> the start that egress filtering at the firewall can be foiled and that
>> users should consider better methods. So get it in your thick skull,
>> egress filtering at a perimeter appliance is a sound security measure,
>> [...]
>
>
> As far as I recall, nobody in this thread has ever said otherwise. The
> discussion is about software firewalls, after all!
>
> Harry.

Read Kayman's posts, specifically:

John said:

>>There is also a developing and troubling trend in this whole debate, one
>>> that some people are bent on spreading at all costs, that because
>>> software firewalls are not immune to exploits by malware attempting to
>>> send data to outside networks, then by simple deduction any and all
>>> egress filtering as a security concept is unnecessary. Egress filtering
>>> at the perimeter, done by reliable network appliances, is a vital part
>>> of network security, without proper egress control your network security
>>> is incomplete, ignore egress traffic at your own perils!

Kayman said:

> Fact:
> Outbound control on an XP platform as a security measure against malware is
> still utter nonsense.
> The windows platform was designed with usability in mind providing all
> kinds of possibilities for e.g. inter-process communication. This
> together with the very high probability that the user is running with
> unrestricted rights makes it impossible to prevent malware allowed to
> run and determined to by-pass any outbound "control" (which, of course
> modern malware is) from doing so. It's simply too unreliable to
> qualify as a security measure.

Does that not say that "any" outbound control (egress control) is "utter
nonsense that is too unreliable to qualify as a security measure"? The
comment was made in direct reply to my statement that egress filtering
at the perimeter was a vital part of network security, how else can you
interpret Kayman's reply?

John

<blockquote data-quote="John John (MVP)" data-source="post: 471855">Re: FIX for ZoneAlarm &amp; KB951748 issue releasedHarry Johnston [MVP] wrote:&gt; John John (MVP) wrote:&gt; &gt;&gt; You constantly shift the discussion from the value of proper egress &gt;&gt; filtering to software firewalls, even though I have said right from &gt;&gt; the start that egress filtering at the firewall can be foiled and that &gt;&gt; users should consider better methods.&nbsp; So get it in your thick skull, &gt;&gt; egress filtering at a perimeter appliance is a sound security measure, &gt;&gt; [...]&gt; &gt; &gt; As far as I recall, nobody in this thread has ever said otherwise.&nbsp; The &gt; discussion is about software firewalls, after all!&gt; &gt;&nbsp;&nbsp; Harry.Read Kayman&#039;s posts, specifically:John said:&gt;&gt;There is also a developing and troubling trend in this whole debate, one &gt;&gt;&gt; that some people are bent on spreading at all costs, that because &gt;&gt;&gt; software firewalls are not immune to exploits by malware attempting to &gt;&gt;&gt; send data to outside networks, then by simple deduction any and all &gt;&gt;&gt; egress filtering as a security concept is unnecessary.&nbsp; Egress filtering &gt;&gt;&gt; at the perimeter, done by reliable network appliances, is a vital part &gt;&gt;&gt; of network security, without proper egress control your network security &gt;&gt;&gt; is incomplete, ignore egress traffic at your own perils!Kayman said:&gt; Fact:&gt; Outbound control on an XP platform as a security measure against malware is&gt; still utter nonsense.&gt; The windows platform was designed with usability in mind providing all&gt; kinds of possibilities for e.g. inter-process communication. This&gt; together with the very high probability that the user is running with&gt; unrestricted rights makes it impossible to prevent malware allowed to&gt; run and determined to by-pass any outbound &quot;control&quot; (which, of course&gt; modern malware is) from doing so. It&#039;s simply too unreliable to&gt; qualify as a security measure. Does that not say that &quot;any&quot; outbound control (egress control) is &quot;utter nonsense that is too unreliable to qualify as a security measure&quot;?&nbsp; The comment was made in direct reply to my statement that egress filtering at the perimeter was a vital part of network security, how else can you interpret Kayman&#039;s reply?John</blockquote>

[QUOTE="John John (MVP), post: 471855"] Re: FIX for ZoneAlarm & KB951748 issue released Harry Johnston [MVP] wrote:[color=blue] > John John (MVP) wrote: > [color=green] >> You constantly shift the discussion from the value of proper egress >> filtering to software firewalls, even though I have said right from >> the start that egress filtering at the firewall can be foiled and that >> users should consider better methods. So get it in your thick skull, >> egress filtering at a perimeter appliance is a sound security measure, >> [...][/color] > > > As far as I recall, nobody in this thread has ever said otherwise. The > discussion is about software firewalls, after all! > > Harry.[/color] Read Kayman's posts, specifically: John said: [color=blue][color=green] >>There is also a developing and troubling trend in this whole debate, one [color=darkred] >>> that some people are bent on spreading at all costs, that because >>> software firewalls are not immune to exploits by malware attempting to >>> send data to outside networks, then by simple deduction any and all >>> egress filtering as a security concept is unnecessary. Egress filtering >>> at the perimeter, done by reliable network appliances, is a vital part >>> of network security, without proper egress control your network security >>> is incomplete, ignore egress traffic at your own perils![/color][/color][/color] Kayman said: [color=blue] > Fact: > Outbound control on an XP platform as a security measure against malware is > still utter nonsense. > The windows platform was designed with usability in mind providing all > kinds of possibilities for e.g. inter-process communication. This > together with the very high probability that the user is running with > unrestricted rights makes it impossible to prevent malware allowed to > run and determined to by-pass any outbound "control" (which, of course > modern malware is) from doing so. It's simply too unreliable to > qualify as a security measure. [/color] Does that not say that "any" outbound control (egress control) is "utter nonsense that is too unreliable to qualify as a security measure"? The comment was made in direct reply to my statement that egress filtering at the perimeter was a vital part of network security, how else can you interpret Kayman's reply? John [/QUOTE]

Verification

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Back

Top