BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] Port Scanning
- Subject: [Discuss] Port Scanning
- From: kentborg at borg.org (Kent Borg)
- Date: Thu, 1 Aug 2024 13:42:20 -0700
- In-reply-to: <20240801172933.yqcdeki3ntkrrl2t@randomstring.org>
- References: <5c43eee0-caaf-45d6-8fdb-273cb3d8ea6d@borg.org> <20240801172933.yqcdeki3ntkrrl2t@randomstring.org>
On 8/1/24 10:29, Dan Ritter wrote: > Zero Trust means that you don't*grant* access based on the > sender's IP. I like my version better: Design and build your system so that every node is secure enough to sit on today's open internet. The idea of granting access based on the other node's IP address is completely stupid. The fact that it is the standard way of doing things doesn't change the fact that it is stupid. Timidly suggesting, in 2024, "don't grant access based on the sender's IP" is wildly insufficient. "Oh, but we still need to be behind a firewall. Because we can't keep track of what software we are running and what ports it listens on for what purposes." I suppose I don't get to say what other people mean by zero trust, but I will hold to what I think they *should* mean: ?????? Design your system so that it does not need a ?????? firewall. Only once the firewall is superfluous is ?????? it no longer an embarrassment. I'm not saying that granting access based on the other node's IP address has *always* been completely stupid. Back in ancient times computers used to be about getting something to work for the first time ever, about getting it to work at all. Telnet was first defined in RFC-206, back in 1973 (three years before even TCP). There were so few telnet servers in the world that the RFC listed them all. Security was not a big consideration, yet something tells me that even those 20-something original telnet servers were going to require a username and password before letting someone in to do much. RSA's design for public key cryptography was published in 1977, nearly 50-years ago (I remember reading about it at the time in Scientific American). Ken Thompson's described backdooring the C compiler in 1984. Cypherpunks were getting going by 1985. The Morris Worm was 1988. We have known computer security is a problem for a *very* long time. The first edition of /Applied Cryptography/ came out in 1994 (I still have my copy), the first version of ssh was written in 1995: We have had powerful tools for a very long time. Basing security on sender's IP has been childish for decades. That it is only now maybe dawning on the industry that this was possibly a mistake is embarrassing. And why has it taken so long? "Because we have a firewall!" But what does a naysayer like me know? Look at the results. The experts have done a great job! It's not like we still worry about computer security anymore. They figured it out. Don't pay any attention to me. -kb, the Kent who does think it is okay to put something in front of a server for load balancing and fighting DDoS attacks, even if it also has firewall features.
- Follow-Ups:
- [Discuss] Port Scanning
- From: dsr at randomstring.org (Dan Ritter)
- [Discuss] Port Scanning
- References:
- [Discuss] Port Scanning
- From: kentborg at borg.org (Kent Borg)
- [Discuss] Port Scanning
- From: dsr at randomstring.org (Dan Ritter)
- [Discuss] Port Scanning
- Prev by Date: [Discuss] Port Scanning
- Next by Date: [Discuss] Port Scanning
- Previous by thread: [Discuss] Port Scanning
- Next by thread: [Discuss] Port Scanning
- Index(es):