Keith Moore wrote:
I believe you should buy or write applications that ensure their
own security and protect the security of the machines on which
they are hosted. I believe you should buy computing platforms
that provide facilities to isolate applications from one another,
so that a single compromised application doesn't compromise your
entire platform.
On this one half of the mailing list can read what's in the back of your
mind, that can be summarized in a few words: Windows is not a real OS.
Don't try to say that's not what you think, everyone would laugh.
you know, I'm happy to say that I don't really know enough about Windows
internals (for any version of Windows) to know for sure whether it provides
those facilities or not. my honest guess is that recent versions do provide
them, and that the reason Windows boxes are insecure is because of poor
application implementation more than poor OS implementation.
still, pretending that a firewall can make up for a lack of security on the
host (ANY host) or in the apps is simply unrealistic, no matter who wrote the
host OS. and nothing we do in IETF can change that.
I did and I pasted it again:
the reason I disagree is that fundamentally, there's no way
that a firewall can reliably distinguish legitimate traffic
from illegitimate traffic,
Yes there is a way as I just demonstrated; a firewall with up-to-date
code can reliably distinguish legitimate traffic from illegitimate
traffic the same way an anti-virus can reliably detect viruses.
no, you demonstrated that it can do so in some cases, but not with reliability
- which would mean that you have the ability to rely on the firewall doing the
right thing. for instance, "doing the right thing" often means being able to
know which applications are enabled on a host, and to decide whether an
application peer has valid credentials, etc. and the firewall simply can't do
that. the app has to protect itself.
And if Microsoft sucks as much as you say it is fortunate that it can,
because a web server compromised by a nasty worm is bad for the entire
community.
you're the one who brought up Microsoft. if you can't understand things that
I actually did say, don't delude yourself into thinking you understand things
that you think I thought but didn't say.
Keith