Firewalls: Re: your mail

Firewalls
(December 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: your mail
From:	Marcus J Ranum <mjr @ tis . com>
Organization:	Trusted Information Systems, Inc. Glenwood, MD
Date:	Sat, 31 Dec 1994 08:42:03 -0500 (EST)
To:	alan @ mid . net (Alan Hannan)
Cc:	mccoy @ io . com, bukys @ cs . rochester . edu, firewalls @ GreatCircle . COM
In-reply-to:	<199412310421 . WAA08379 @ westie . mid . net> from "Alan Hannan" at Dec 30, 94 10:21:33 pm
Phone:	301-854-6889

> able to make a version 6 and all the IETF people can say it's secure, but not
> in the real world......

	You say "tomatoe" and I say "tohmato"

	I think the IETF folks are at least understanding enough of the
problem that they wouldn't say "V6 is secure" -- that's too simplistic
since it assumes that there's a common notion of what "secure" means.
I've been watching the traffic in the WG and it looks like V6 will have
some attractive functionality, from a standpoint of end-to-end encryption
and authentication. Those are very useful fundamental technologies - tools,
if you prefer. Other things the WG is discussing is what type of binding
can be made between individual sessions -- in general a technique for
identifying "who" or "what" is on the other side of a socket (with
meaningful assurance, not a WAG like ident).

	So, I suspect that V6 will have some useful components from
which people may be able to build more "secure" networks depending
on their definition of "secure."   V6 will not address the integrity
of the host platform -- so for some people it's not "secure" at all.
The real question in my mind is "will it be better than the current
state of affairs?" and the answer would appear to be "yes."  Some
of the folks on the WG seem to think that V6 will mean No More
Firewalls (and there was much rejoicing) but it's seemed to me that
the main way V6 will help is by allowing people to more easily
become part of a virtual network perimeter(VNP) by taking advantage
of authenticated and encrypted IP. In other words, I think it'll
give us better firewalls by letting administrators permit remote
systems to be "behind" them. :) That's based on a VERY broad
definition on what a firewall is. (I define "firewall" these days
as "a system that enforces and controls access across the boundary
of a trust domain")

	I've been somewhat long-winded (but I've tried to stick
to the topic of firewalls) -- while it's tempting to trash the
standards guys and process* I think that eventually it pays off.
Right now we're using things like SOCKS and screening routers
and proxies -- these are all different implementations of the
same basic principle. Having a generalized implementation available
means a lot less re-invention of the wheel. From the stuff they
are looking at having in V6, we *will* be able to build more
"secure" systems more easily.

mjr.
[* one of my favorite pastimes]

References:

Re: your mail
From: Alan Hannan <alan @ mid . net>

Indexed By Date	Previous:	Re: SNMP Proxy agent From: "Simon J. Gerraty" <sjg @ zen . void . oz . au>
Indexed By Date	Next:	Re: your mail From: smb @ research . att . com
Indexed By Thread	Previous:	Re: your mail From: mccoy @ io . com (Jim McCoy)
Indexed By Thread	Next:	Admin effort From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)