Keith,
Keith Moore wrote:
I believe you should buy or write applications that ensure their
own security and protect the security of the machines on which
they are hosted. I believe you should buy computing platforms
that provide facilities to isolate applications from one another,
so that a single compromised application doesn't compromise your
entire platform.
On this one half of the mailing list can read what's in the back of your
mind, that can be summarized in a few words: Windows is not a real OS.
Don't try to say that's not what you think, everyone would laugh.
Keith, we are building the Internet for everyone, including the innocent
users that access a web server across the world that happens to run IIS.
Even you think that the person that chose to implement IIS on top of w2k
is stupid because s/he had half a brain s/he would have chosen apache on
top of unix, that's not the user's problem and if there is something I
can do as the firewall guy to shield that IIS server, I will.
read what I wrote again.
I did and I pasted it again:
the reason I disagree is that fundamentally, there's no way
that a firewall can reliably distinguish legitimate traffic
from illegitimate traffic,
Yes there is a way as I just demonstrated; a firewall with up-to-date
code can reliably distinguish legitimate traffic from illegitimate
traffic the same way an anti-virus can reliably detect viruses. And if
Microsoft sucks as much as you say it is fortunate that it can, because
a web server compromised by a nasty worm is bad for the entire
community. As of myself, I try to do my part of keeping a clean
Internet, which is configuring firewalls in front of web servers,
instead of saying that people should buy web servers that can't be
hacked.
Michel.