Andrew Esh wrote -
> I feel we must guard against the mindset that security is worth (even
> partial) denial of access. We must also guard against becoming passive,
> and content with a secure network. We must employ the same passion that
> went into the arguments against Hacker Site Lists into making sure that
> the users we are responsible for protecting are not protected to the
> point of suffocation.
I'd like to add my support for this line of reasoning. I have been
often quoted as saying:
"Computer security should be strong enough to repel virtually any attack
***from the outside***, yet unobtrusive enough that the average user is
unaware that he is being guarded by a strong defense."
It is crucial to remember that security measures must not cause
"unacceptable" impediments to the users being protected, and thus
to the business as a whole. What might be considered "unacceptable"
must be determined by each institution.
In the research laboratory setting, there are legitimate needs to access
many "rare" services outside the institution, and sometimes to offer
access to special purpose services. Sometimes those "rare" services
become mainstream (like WWW / "Mosaic"), and sometimes they don't.
Researchers need to be able to use "rare" services long before firewall
(application relay) support exists.
As a security technology, firewalls tend to suffer from two main problems:
1) Firewalls often block out legitimate forms of user access, as well
as undesirable access. In most cases, this causes all but the most
complacent users to install "back doors" so fast your head will spin.
Users need to be able to get their jobs done.
When a site I often do business with recently instituted a very severe
and well configured firewall just after I left on a road trip, it took
me _several whole minutes_ to devise a way to break through to get them
the data they suddenly needed. Ugh.
2) Firewalls tend to encourage a more "relaxed" attitude toward
security on the "protected" side of the firewall. This has devastating
effects when (not "if") the site is penetrated, as the internal
protections tend to be spotty and in disarray. Note that the
penetration need not be _through_ the firewall -- other likely avenues
are "back doors", visitors, the sales department, and "black bag" jobs.
Considering the amazing lengths that "phone crackers" often go to when
pursuing their goals (including physical security attacks), and
considering the technological and social convergence between the "phone
cracker" and "computer cracker" communities, I think that it is rash to
devise "network only" or "software only" security systems which defend
on only one "front". The Threats are much too clever to be stopped so
As a result, I am often heard to say "Firewalls are Bad". This usually
provokes a nice emotional response. :-)
I don't mean this as a blanket condemnation of the technology, because:
1) In some settings, the management may not have the will or the means
to impose a uniform security posture on all machines. The choice may
be between a firewall, and nothing. In such a setting, the firewall
may be a Very Good Thing.
2) Some network-capable machines are not designed to defend themselves,
and it is pointless to try and fix them. In these cases, a firewall can
be invaluable to protect small clusters of such machines, while still
providing some level of network access for them. Ideally, each
"defenseless" machine would have a private network cable shared with a
firewall machine dedicated to it's protection (and perhaps also to
defending against it). That way, the compromise of one "defenseless"
machine does not immediately grant access to the entire community of
"defenseless" machines, or the balance of the network.
In closing, I'd like to remind everyone that a secret known by more than
six people isn't going to be a secret for long. A secret on a network
of more than six computers isn't likely to be a secret for very long,
either. If you have something that is a secret, don't put it into a
computer. If you must store secrets in a computer, the firewall
technology that I've found to be the most effective is the six-foot air
gap. Air gaps are inexpensive to purchase and easy to configure, but
tend to be inconvenient to use.
I believe that each host must defend itself at the network-to-host
interface, and that network security is only one component of a
comprehensive security plan.
Leader, Advanced Computer Systems Team
Survivability and Lethality Assessment Directorate
The US Army Research Laboratory
APG, MD 21005-5068 USA