On Tue, 2004-09-28 at 13:59, Thor wrote:
Design Flaw #1: While the approach to determine if the PC is used at
home or in a corporate setting (domain membership) seems like a sensible
way, the fact that it is treating all interfaces as equal is not.
Sure-- but remember- [...] Regarding the RAS adapter dialing into the
Internet, in that case, F&P would not be bound in the first place
(when the connection was created).
I guess that's a well deserved black eye for me to take for not
realizing that this default does treat interfaces as ...uhm... not
equal. I shall concede that point to you.
(BTW: How are existing RAS interfaces treated during upgrades? Are F/P
bindings removed?)
Design Flaw #2: Multiple policies conflict in interface protection.
Not really "multiple policies" conflicting... It is an updated policy
replacing existing policies at install time-- there aren't 2 at the same
time... It's very easy to check out what settings are implemented for the FW
in general, and for each individual adapter...
hmm... I'm confused. But perhaps I should drive the car before junking
it. I don't have XP around to see how these two policies present
themselves to the user. My concern is that there are settings in one
place and settings in another, but no means to see the effective,
combined settings in a single dialog. All too often offer systems
immense capabilities for configuration (may I use the word
configurability) only to leave the operator/user lost in all those
choices. As I was saying, a simple and coherent configuration model
helps security greatly.
Perhaps you, Tim, could send me a screen shot with the dialog box that
shows the current FW policy settings on an interface (or a link to a
demo version of XP). Until then I only concede half a point ;)
I really should have been more clear about that- it sounds like "mitigating
factors" junk..
I wasn't trying to sugar coat it-- I was directly responding to the claims
in the article where they said "world readable, no password access" etc...
Oh, okay. I didn't know the article was talking about accessing the
systems. I thought the issue was that the ports are unfiltered and
exposed. Perhaps I need to re-read that article.
There is only one policy- everything is blocked, and you open what you need.
I think some of the other posts may have confused that, but it really is
pretty easy...
Ah, I see. Good. Easy is good. Not just for lamers like me :) but if a
system is made easy to configure and use, then there are less threats to
the security of that system. I'll make sure I have a copy of XP in front
of me before I yell again... ;)
Later dude.
Frank
signature.asc
Description: This is a digitally signed message part
