Firewalls: RE: Firewalls: NT versus UNIX

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	RE: Firewalls: NT versus UNIX
From:	Russ <Russ . Cooper @ RC . Toronto . on . ca>
Date:	Mon, 11 Mar 1996 20:57:27 -0500
To:	"'cmcurtin @ gatekeeper . cb . att . com'" <cmcurtin @ gatekeeper . cb . att . com>
Cc:	"'Firewalls'" <firewalls @ GreatCircle . COM>

C Matthew Curtin rote...

"I fear that we're going to start seeing lots of these silly machines start 
coming up ... everything in one. A bad idea for security, a bad idea for 
service ... but they, like so many other dumb things that people with money 
claim to "need," will probably become successful products from the 
perspective of marketing and profitability. Sigh."

Now considering we are nearly, if not actually, at the point of needing 
these types of setups on every single machine, don't you think we need to 
rethink the belief that there needs to be a separate machine for each 
critical service? I mean, with Java doing what it can do, a gatekeeper 
needs the ability to remotely configure a firewall on every single machine 
*within* his/her organization in order to ensure that rogue programs that 
can get through the firewall aren't able to do things on, or to, those 
internal machines.

With the "browser" concept catching on like wild-fire, and all these 
applications coming about which use the same port, its getting to the point 
where the philosophy of a firewall (something that allows you to grant or 
deny services based on a combination of things including a service port) is 
getting thrown to the dogs. If, through HTTP, I can download and 
unknowingly execute an application that can do FTP or PING or whatever, 
then the LAN has to be treated as hostile as the external or untrusted 
network.

The solution, in my mind, is not to try and filter out these rogue 
applications at the firewall but to make a tool that a gatekeeper can 
administer that allows him/her to allow or deny services on individual 
machines, in addition to a normal firewall. It will sure make security 
administration a far more complex matter, but in the face of the 
over-whelming desire to do these things I don't see that there is much else 
that can be done. At least it will make your jobs more important! ;-]

I had a conversation recently with a major manufacturer of computers who 
were talking about a PC administration tool which would work through any 
browser and allow the user to do remote control, that is, take over a 
keyboard and do real time screen captures, all using a little HTTP daemon 
to be run on the workstation. When I asked how they planned to secure the 
product, they said they had been thinking about SSL. All I could do was 
throw my hands up and cry uncle!

Where's the LAN-based VPN???

Cheers,
Russ

Follow-Ups:

HTTP firewalling (Re: Firewalls: NT versus UNIX)
From: peter @ nmti . com (Peter da Silva)
Every Firewall For Itself (Was: "...NT vs. Unix)
From: "W.C. Epperson" <epperson @ vak12ed . edu>

Indexed By Date	Previous:	socks4 From: nkeenan @ gsionline . com (Mr. Nick Keenan)
Indexed By Date	Next:	Encrypted sessions across LANs From: Fernando Cozinheiro <cooker @ ci . ua . pt>
Indexed By Thread	Previous:	Re: Firewalls: NT versus UNIX From: Scott Barman <scott @ di2 . disclosure . com>
Indexed By Thread	Next:	Every Firewall For Itself (Was: "...NT vs. Unix) From: "W.C. Epperson" <epperson @ vak12ed . edu>