......... Wilner @
MIL is rumored to have said:
] Yet, just as in the other firewall books, there is no mention
] of "meatier" INFOSEC issues, such as high-assurance trusted
] platforms or formal modeling of TCP/IP protocols. There is
IMHO this is not 'firewalling (read:separating networks according
to a given security policy)' these are host and network issues.
True, both of these are required knowlege for firewalling, and
also subsets of firewall theory. However, they are not wholly
firewall related, and in my opinion should be considered separate
topics. When one considers accounting, rarely do they cover
aspects of addition.
] little substantive discussion of denial of service, which is
] quite important. There is no mention of integrating firewall
] technology with COTS security products other than I&A tools.
] No mention of emerging technology pursuant to either NSA's
] MISSI program or NIST's PKC entity authentication research
] (q.v. Draft FIPS PUB "JJJ") is to be found.
And this makes me quite happy. I have no interest in MISSI
compliance, and I have yet to have a customer request it. If they
did, I'd like to go read a book about MISSI and anal proprietary
government standards, not a book about firewalling a network from the
] What's the deal? It seems that the participants in this
] august forum are concerned only about cookbook-style
] approaches. "How can I run such-and-such application?" "What
] ports should I block in order to securely operate FOOBAR?"
] "What commands do I issue to my Telebit?" "How can I get DNS
] to do such-and-such on a screened-subnet doodad with DYNIX and
] NetWare?" This is all that people seem to want to discuss.
This may be true with regards to books about firewalls, however on
at least two occassions in as many months we have had discussions
about MISSI and Fortezza.
] It is noted with sadness that challenges such as the one
] detailed in the preceding four paragraphs are never responded
] to. One takes that to mean either that everyone is in
] complete agreement and therefore no discussion is required, or
] that no one feels qualified to disagree in writing.
Always the rebel, I had to reply :) Most people here are involved
in corporate network security. It's my opinion the breakdown
would go something like this -->
Corporate -- 35%
Vendors and Developers -- 35%
Government Agencies -- 15%
Educational and Theorists -- 15%
If you buy into this, then perhaps you'd buy that 75% of the
money/focus for Vendors and Developers is for Corporate network
security. Hence, 35% + (.75 * 35%) = at least 61% of the people here
are interested in corporate network security. Couple that with
the focus on Government Agencies --> 15% + .25*35% ==> 23% and we
see that the government compliance issues are not as predominant.
Therefore, I think that explains it.
However, you make good points as to the desire to increase the
"meat" discussed here. What is the general concensus? Are topics
like Fortezza, B-1 compliance, etc welcome? I don't mind them,
though on the same token, perhaps a mail list dedicated to the
broaded topic of Information Security would be appropriate.
Conversely, if the topic directly relates to firewalls (like
Fortezza might) then I'm interested...
Alan Hannan http://www.mid.net/~alan 402/472-0239
Network Systems/Security Administrator MIDnet, Inc.