republican-creole
Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » The Site » Old Forums » Kerio - Tiny Support » Tiny "officially" no more
Search Topic:
 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Links: ·Forum Guidelines ·Kerio/Tiny pre-3.x FAQ ·BBR Security Forum ·Security FAQ
AuthorAll Replies


gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA

reply to madirish
Re: Tiny "officially" no more

Tiny was a fantastic piece of work. It's a little involved, both functionally and conceptually, for a lot of users, but I've thought, from the very beginning, that it was a best of breed and one of a kind product. Secure4u, acquired by Tiny just after the Kerio spinoff, was the one single stable iteration of a "true" system wide sandbox app. Tiny, by that acquisition, became the definitive behavior-blocker, and has never, yet, been matched in that regard.

The grand thing about Tiny is that it's not just a firewall, it's the best design for an anti-trojan there is. Simply identify those behaviors which are suspicious and abnormal, and block them. No need to micro-analyze files every so often, update detection databases, just watch what they do and what they access, and, if that looks dicey, based on what an app normally does, stop the behavior and alert the user. There are certain things a non-system app just ought not be trying to access or do... isn't it better, frankly, to watch for those behaviors and block them, than to try and keep track of every piece of malware out there, one by one? Proactive response versus reactive response.

I lament the passing, if, indeed, it's a passing, of Tiny. We need to keep the idea alive, though. It's the future of firewalling, I think. Ultimately, operating systems might become self-defending, using concepts similar to Tiny/Secure4u's... but I doubt that will be any time soon. Until then, I think we need to support and promote the concepts. Simply, it's just the best way of proactively addressing the threats we haven't yet dealt with... reactive apps require somebody to get infected, discover the infection, and report the same... then, the app developers have to add a pattern match to a database, release a daily update, and, after a few thousand of us have already been compromised, release it... and hope we remember to download our update. Tiny-like apps might need regular updating, but only in so much as a new (previously thought harmless) behavior is linked with a new approach to hackin' an' crackin'.

Maybe (wishful thinking?) Tiny is returning to its roots? Remember, the original Tiny, now Kerio 2.x, was the packet filter element from Tiny's enterprise solution "CMDS" (centrally managed desktop security) system. It also served the classic NAT app, Winroute Pro, in the same capacity. CMDS, I remember saying in here, a few years back, was around the best and most articulately implemented enterprise firewall ever conceived. What happened to it? Well, the old versions were sold off to a (Chinese, I think?) firewalling developer... but the concept became Tiny Enterprise...

CMDS worked on a distributed responsibilities concept. The core was a dedicated security server at the corporate IT center. Each machine ran a packet filter, an ids, a sandbox, and so forth, but the user couldn't tamper with them, even if he was using a company laptop, at home. Simply, as soon as the machine accessed the VPN, the security server checked it out, compared it to the database, and, if anything in the firewall config didn't match the "last known good" config databased on the security server, it denied the computer access to the network, and rewrote the "correct" config back to it. It could also see the logs, and would be able to determine whether the remote machine had been compromised while improperly configured. Nice piece of work.

CA, I know, is now mostly concerned with enterprise solutions. I sincrely hope that, at least, they don't shoot this great idea behind the barn, but incorporate it into their own offerings. Hell, the only thing that honestly can be said in any negative sense about the CMDS concept is that it was just scratching the surface of the kind of security solutions we can be looking at ... of course, as we all know, too, security is often the seven-toed redheaded child of enterprise IT... but that's a new topic for another day... Tiny, it's good to 'ave known ya. Hope you inspire many new generation developers to pursue the road less travelled, towards excellence in concept and design...
--
Semper Eadem

Unconditional love
I'll be there when you fall
The one condition of love ...
... is there are none at all.
to forum · permalink · 2006-10-28 19:22:48 · (locked)
Forums » The Site » Old Forums » Kerio - Tiny Support

Friday, 04-Dec 10:59:00 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [163] Comcast Releasing Promised Usage Meter
· [144] Avast Antivirus Has Gone Mad
· [110] Comcast Makes NBC Universal Acquisition Official
· [104] Graduate Student Unveils Sprint's GPS Sharing With Feds
· [92] Google Invades ISP, OpenDNS Turf With Google Public DNS
· [81] Latest Consumer Reports Survey Not Kind To AT&T
· [72] Sprint Defuses GPS Privacy Media Bomb
· [70] Baltimore To Ban Lazy Cable Installs
· [70] FCC Ponders Moving From PSTN To IP Voice
· [64] Broadband Killed The Game Console
Most people now reading
· False positive in Avast! or is it real? [Security]
· Connecting to Google Voice Via SIP [VOIP Tech Chat]
· Linux is terrorist - according to MS... [All Things Unix]
· Windows 7 boot manager editing questions [Microsoft Help]
· Equal speeds ruling [Canadian Broadband]
· Many Sites Unreachable [Rogers]
· CBC news radio reports ACTA [Canadian Broadband]
· IMG 1.7 (IMG Updates and Discussion) [Verizon FIOS TV]
· DNS options, what are YOU using? [TekSavvy]