F21 System Wide Change: Workstation: Disable firewall

Russell Doty rdoty at redhat.com
Tue Apr 22 18:41:06 UTC 2014


On Tue, 2014-04-22 at 14:23 -0400, Simo Sorce wrote:
> On Tue, 2014-04-22 at 13:22 -0400, Russell Doty wrote:
> > On Tue, 2014-04-22 at 19:01 +0200, Miloslav Trma─Ź wrote:
> > > 2014-04-22 13:40 GMT+02:00 Stephen Gallagher <sgallagh at redhat.com>:
> > >         3) Recovery and auditing are more important than prevention.
> > > 
> > > This is only true for large managed enterprises, where recovery is
> > > possible in the first place (how many people don't have good
> > > backups?), and prevention is bordering on impossible (with the high
> > > number of systems and administrators).  For individual users auditing
> > > is completely pointless, recovery is either impossible or a huge
> > > hassle, and prevention the only option.
> > Well, the presentation was focused on enterprise systems...
> > 
> > But there were some underlying themes:
> > 
> > * Users will work around anything, including security features, that
> > interfere with them doing their job.
> > 
> > * It is impossible to completely secure a system. A prevention only
> > approach doesn't work well.
> > 
> > * An effective security model is built around Deter, Detect, Delay,
> > Respond, Remediate.
> > 
> > * Security is one of multiple threats to system integrity. 
> 
> All very true, but you do not remove the Deterrent, just because you
> have the other 4 layers (which we do *not* have very much in Fedora when
> it is used as a simple workstation).
Absolutely true - the foundation of the stack is Deter. The point is
that we can't harden a system enough for Deter alone to be fully
effective, so we need to have the complete security model.

And you are right. We have a real opportunity to look at an overall
"people centric" approach to security in Fedora. Look at the traditional
threat models, look at the people issues, and look at an overall
approach to maintaining system integrity.

I'd like to see us exploring system integrity in greater depth.
> 
> This is why people say we need to improve the Firewall experience not
> raise white flag and disable it.
Agree. Unfortunately, the easy way out is to punch so many holes in the
default firewall that it doesn't offer much protection...
> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 




More information about the devel mailing list