Firewalls: Re: Point of no gain

Firewalls
(March 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Point of no gain
From:	amolitor @ anubis . network . com (Andrew Molitor)
Date:	Tue, 26 Mar 96 11:18:45 CST
To:	firewalls @ greatcircle . com

	The hard part (or at least A hard part) of intranet firewalls
is designing an access policy that actually does some restriction and
also lets people do their jobs, without utterly busting everything.
The amount of goo that flies about the network when someone telnets
from how A to host B and logs in is simply astonishing.

	- TCP, to carry the telnet
	- NIS, to get a password entry
	- RPC, to figure out NFS foo
	- NFS to access the user's home directory (technically, I
	  guess this is RPC too, but it usually uses nailed up ports etc,
	  so it's sort of different)

	at the very least, in a typical Sun based setup. I've probably missed
a couple of important things. Restrict any of this, and stuff breaks, your
phone spontaneously combusts, and you back it all out. What you need to do is:

	- try really hard to figure out ALL the stuff that goes on, on your
          network.
	- work out dependencies between the various things that go on.
	- develop a deployment strategy that will naturally grow your
	  network in the right directions.

	The very same people who squall about how hard it would be to
re-organise their network will happily pull 100 miles of cat 5 cable,
throw out a bunch of hubs, slap in a bunch of switches and generally
replace the entire network infrastructure at the drop of a hat. Networks
are always in flux, often dramatic and profound. The key is to show how
to roll the access policy changes in with the other changes. You have
to think in terms of years and incremental improvements, not 'let's buy
a box and stick it >there< and we'll be cool.'

	However much the firewall vendors deny it, they ARE selling quick
fixes, snake-oil panaceas. Sure, they generally do the job the fine print in
the glossies says, but the actual value derived from them (in isolation) is
low. You have a much harder time selling this sort of thing into an internal
network, where things really have to work, where performance does matter,
where policy matters, and so on. Everyone knows you really should approach
all network security stuff from an incremental, years-long, fully staffed
point of view, but for intranets it's a lot harder to cut corners.

		Andrew

Follow-Ups:

Re: Point of no gain
From: Michael Dillon <michael @ memra . com>
Re: Point of no gain
From: Ian Johnstone-Bryden <ianj-b @ dial . pipex . com>
Firedoors? (was Re: Point of no gain)
From: "Frank O'Dwyer" <fod @ fws . ilo . dec . com>

Indexed By Date	Previous:	Re: Sick Puppy From: Chris Eastman <chris @ cwi . net>
Indexed By Date	Next:	Re: JAVA From: Alan Olsen <alano @ teleport . com>
Indexed By Thread	Previous:	Re: Point of no gain From: sedayao @ argus . intel . com (Jeffrey C. Sedayao)
Indexed By Thread	Next:	Firedoors? (was Re: Point of no gain) From: "Frank O'Dwyer" <fod @ fws . ilo . dec . com>