[Discuss] Port Scanning

Kent Borg kentborg at borg.org
Thu Aug 1 16:42:20 EDT 2024 

On 8/1/24 10:29, Dan Ritter wrote:
> Zero Trust means that you don't*grant*  access based on the
> sender's IP.

I like my version better: Design and build your system so that every 
node is secure enough to sit on today's open internet.

The idea of granting access based on the other node's IP address is 
completely stupid. The fact that it is the standard way of doing things 
doesn't change the fact that it is stupid. Timidly suggesting, in 2024, 
"don't grant access based on the sender's IP" is wildly insufficient.

"Oh, but we still need to be behind a firewall. Because we can't keep 
track of what software we are running and what ports it listens on for 
what purposes."

I suppose I don't get to say what other people mean by zero trust, but I 
will hold to what I think they *should* mean:

        Design your system so that it does not need a
        firewall. Only once the firewall is superfluous is
        it no longer an embarrassment.

I'm not saying that granting access based on the other node's IP address 
has *always* been completely stupid.

Back in ancient times computers used to be about getting something to 
work for the first time ever, about getting it to work at all. Telnet 
was first defined in RFC-206, back in 1973 (three years before even 
TCP). There were so few telnet servers in the world that the RFC listed 
them all. Security was not a big consideration, yet something tells me 
that even those 20-something original telnet servers were going to 
require a username and password before letting someone in to do much.

RSA's design for public key cryptography was published in 1977, nearly 
50-years ago (I remember reading about it at the time in Scientific 
American). Ken Thompson's described backdooring the C compiler in 1984. 
Cypherpunks were getting going by 1985. The Morris Worm was 1988.

We have known computer security is a problem for a *very* long time.

The first edition of /Applied Cryptography/ came out in 1994 (I still 
have my copy), the first version of ssh was written in 1995: We have had 
powerful tools for a very long time.

Basing security on sender's IP has been childish for decades. That it is 
only now maybe dawning on the industry that this was possibly a mistake 
is embarrassing. And why has it taken so long? "Because we have a firewall!"


But what does a naysayer like me know‽ Look at the results. The experts 
have done a great job! It's not like we still worry about computer 
security anymore. They figured it out. Don't pay any attention to me.


-kb, the Kent who does think it is okay to put something in front of a 
server for load balancing and fighting DDoS attacks, even if it also has 
firewall features.

More information about the Discuss mailing list