F21 System Wide Change: Workstation: Disable firewall

Simo Sorce simo at redhat.com
Tue Apr 22 18:23:05 UTC 2014


On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote:
> On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trma─Ź wrote:
> > 2014-04-22 13:40 GMT+02:00 Stephen Gallagher <sgallagh at redhat.com>:
> >         3) Recovery and auditing are more important than prevention.
> > 
> > This is only true for large managed enterprises, where recovery is
> > possible in the first place (how many people don't have good
> > backups?), and prevention is bordering on impossible (with the high
> > number of systems and administrators).  For individual users auditing
> > is completely pointless, recovery is either impossible or a huge
> > hassle, and prevention the only option.
> Well, the presentation was focused on enterprise systems...
> 
> But there were some underlying themes:
> 
> * Users will work around anything, including security features, that
> interfere with them doing their job.
> 
> * It is impossible to completely secure a system. A prevention only
> approach doesn't work well.
> 
> * An effective security model is built around Deter, Detect, Delay,
> Respond, Remediate.
> 
> * Security is one of multiple threats to system integrity. 

All very true, but you do not remove the Deterrent, just because you
have the other 4 layers (which we do *not* have very much in Fedora when
it is used as a simple workstation).

This is why people say we need to improve the Firewall experience not
raise white flag and disable it.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York



More information about the devel mailing list