Firewalls: Re: SmartWall

Firewalls
(July 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: SmartWall
From:	cmcurtin @ clipper . cb . att . com
Date:	Sun, 23 Jul 1995 09:19:02 -0400
To:	Dave Dunwoodie <ddunwood @ dsc . blm . gov>, firewalls @ GreatCircle . COM
In-reply-to:	Dave Dunwoodie <ddunwood @ dsc . blm . gov> "SmartWall" (Jul 17, 7:22pm)
References:	<Pine . LNX . 3 . 91 . 950717191804 . 5573A-100000 @ dsc . blm . gov>

On Jul 17,  7:22pm, Dave Dunwoodie wrote:

> Our oversight agency contact is also from the old school, and not
> especially comfortable with a product that provides source code.
> While I'm biased, I'll gladly listen to arguments for either
> side, and perhaps ultimately influence (change) my agency's decision.

I really don't understand the concept of NOT being comfortable with a
product that will provide you with source code. What's there not to be
comfortable with? (Obviously, keeping ON your production firewall
machines would be stupid, but just having it could be infinitely
useful).

One of the things to remember is the obvious: your firewall is your
connection to the Internet. Assuming that you've got firewalls at every
point of connection between your private and any untrusted (i.e., not
yours) networks, any attacks against your networks are going to be
against (or through) that firewall.

Are you willing to accept that the firewall product that you buy has a
sufficient level of security, just because the vendor told you?
Can you trust the security your company's intellectual property to a box
whose functionality could be completely unknown to you, aside from the
user interface stuff? No firewall vendor is going to tell you how
vulnerable their product is (likely, the sales guys won't even know).
Sure, a lot of old school management types will say that if there is a
breakin, you can point the finger at the vendor, blah blah blah... The
point here is breakin prevention. Further, if there is some hole in the
vendor's "black box," how can you be sure that you'll know if it's been
exploited?

If you've got the source code, you can look at it to get a good
understanding of how it *really* works. Also, if additional
functionality needs to be added, you can assess how big of a deal it
would be to do that, and actually do it. If you don't know what's
inside, you can't do anything.

I think having the source code is critical. Maybe not everyone on your
staff will understand it all, but there ought to be someone in your
organization who can understand it. The firewall is too critical a place
to not have at least one person who is clued (as opposed to clueless :)

-- 
C Matthew Curtin       AT&T Bell Labs       Internet Gateway Applications Group
http://www.att.com/homes/matt_curtin.html PGP KeyID:cmcurtin @
 clipper .
 cb .
 att .
 com

References:

SmartWall
From: Dave Dunwoodie <ddunwood @ dsc . blm . gov>

Indexed By Date	Previous:	Re: Raptor / Seal / Sidwinder , plus E-mail From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Indexed By Date	Next:	Source code From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)
Indexed By Thread	Previous:	SmartWall From: Dave Dunwoodie <ddunwood @ dsc . blm . gov>
Indexed By Thread	Next:	SmartWall From: "Crandall, John" <crandaje @ maritz . com>