Firewalls: Re: Point of no gain

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Point of no gain
From:	sedayao @ argus . intel . com (Jeffrey C. Sedayao)
Date:	Mon, 25 Mar 96 17:47:18 PST
To:	mjr @ v-one . com
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<199603252256 . RAA16471 @ clark . net> from "Marcus J. Ranum" at Mar 25, 96 05:56:03 pm

> >At what point does the number of users inside of a perimeter become so
> >large that inside of the firewall becomes virtually indistinguishable 
> >from outside of the firewall?  1,000 users?  10,000 users? 100,000
> >users?  Is this point real or just imaginary?
 
> 	My take is it's less a matter of number of users than
> it is number of network interconnects. Offhand, the problem is
> one of those: "if you have to ask, you already know the answer"
> kind of deals.

:-(

> 	Intranetwork firewalls are becoming a hot topic, and 
> I worry that they won't be deployed sensibly, since most networks
> are presently designed to be a single security domain with
> no internal separation.

This is more of the situation that I was thinking about - the number of
users within a single security domain unfettered by any internal
separations.

> 	If I were to tackle the problem, I'd say you need to
> divide your users and their desktops up into the different
> roles they play, sort the roles into security domains, then
> develop access policies for controlling communication between
> each domain. Those policies would be implemented with a
> combination of routers, firewalls, virtual LANs and hubs,
> or whatever. I actually have a short tutorial on how to
> do this kind of analysis that I have been working on for
> some time, but it's not quite good enough yet -- and every
> time I present the concept people's response is invariably,
> "reorganizing my network would take too much work!!"
 
IMHO, the hardest and ugliest part of this is the politics of
reorganizing a network.  I received a number of messages regarding my
question (thanks all).  A number of them mentioned how they had these
internal firewalls and security domains and all.  That's great.  It is
moving from a single security domain to a segmented one - now that's
hard.  I have found that it is very difficult to take something away
from someone once they have it.  And if you don't offer comparable levels
of service and performance, they working around you.

> mjr.
-- 
Jeff Sedayao
Intel Corporation
sedayao @
 argus .
 intel .
 com

References:

Point of no gain
From: "Marcus J. Ranum" <mjr @ clark . net>

Indexed By Date	Previous:	Re: Proxy-server for AOL client??? From: "Stephen D. Williams" <sdw @ gs1 . cinti . net>
Indexed By Date	Next:	Applet/OLE caching proxies?? From: Russ <Russ . Cooper @ RC . Toronto . on . ca>
Indexed By Thread	Previous:	Point of no gain From: "Marcus J. Ranum" <mjr @ clark . net>
Indexed By Thread	Next:	Re: Point of no gain From: amolitor @ anubis . network . com (Andrew Molitor)