Re: Hairpin NAT - possible without packet marking?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/04/2017 07:07 AM, Neal P. Murphy wrote:
> On Tue, 04 Jul 2017 07:48:36 +0200
> K <netfilter@xxxxxxxxxxx> wrote:
> 
>> What do all the locks in the world help when you invite the burglar in for tea? In other words: most IT departments have the incoming traffic pinned down as you described, but a single executable disguised as a clip of a cute kitty, downloaded and executed by any employee is what nowadays forms the real threat.
> 
> And that's why I maintain that SSL/TLS is the one of the worst things that could've happened to The Internet: our peripheral firewalls are powerless to prevent malware from traversing conns encrypted with SSL/TLS.


Well communism would be the perfect form of government if no humans were
involved... but humans are involved.

Humans are the week point in any system.

Imagining you can fix human stupidity by just tightening the screws a
little tighter is just fairy dust and unicorn farts.

The easiest way to breach a network is to drop thumb drives, cdroms, and
urls in the parking lot.

Banning encryption isn't going to save a single thing.

Make passwords to onerous and they get written on post-it notes. Ban usb
drives and people plug in media players. Ban all USB and people will fax
shit.

Technology cannot fix human engineering.

So you build the system to be hard enough for remote nonsense to be easy
and then lose the superman complex.

Think you can stop things using a ban on TLS? I scoff at you. I'll
rot-13 the virus and send it with instructions. I'll shar that puppy and
send it with instructions. Hell, I'll just send instructions in plain
text and _someone_ in your office will be stupid enough to do _all_ the
work.

Heck for all your talk I'd bet money that you've never done a full
system restore drill on you computers at home or at the office, and at
least half of your data isn't even backed up at all,let alone off-site.

A system too onerous to use _will_ be subverted. Every time. Period.

The only way to keep a computer safe is to turn it off, unplug it, and
shred it.

So you need to concentrate on doing the best things to stop the most damage.

For all that a virus scanner can stop a virus, maybe, if it's already
been told about the virus, the most pernicious encoding of a bad idea is
a well-phrased meme handed to a neophyte.

You can't fix stupid and you cant's solve security through draconian
technological intervention.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux