Frank responded to Andrew:
> The problem you describe is very interesting. Thinking about it,
> I wonder if there is any mileage to be got from having lightweight
> intranet firewalls (or 'firedoors') whose purpose is to contain
> some, rather than most, forms of network attack. These would provide
> less protection than the usual firewall, but wouldn't get in the way
> so much either, and could be more easily deployed as an interim
> What I have in mind is somewhat analogous to locking some
> interior doors in your house before going to bed. People don't
> lock interior doors because the people in the living room don't
> trust the people in the kitchen. It's because they fear that if
> someone comes in the kitchen window, they'll steal the stuff in
> the living room, or attack the people in the bedroom, or whatever.
> It's about containment, but on an ad hoc divide-and-conquer
> basis, not really on a security domain basis. You lock doors
> where and where you can, at times and places where they don't
> cause too much annoyance. Interior locks aren't usually as strong
> as exterior locks, either.
> Or, think of firedoors. Those aren't in place because hall A is
> trusted differently than hall B. There is no 'hall A security
> domain'. Nor do firedoors stop all (or even most) bad things,
> all they do is contain the spread of _some_ bad things. Firedoors
> don't help much if the Manson group or the ebola virus turns up
> in hall A, for example.
> Referring to your example, an example of a 'firedoor' might
> be a NIS-specific or NFS-specific choke which only permitted
> requests for certain users or directories through, or was
> time restricted. Or a web choke that blocked some intranet web
> accesses, sometimes. Those won't stop all attacks, but they'll stop
> some. They'll slow some others. As far as breaking stuff goes, at
> least you're focussed on just one or a few services, not everything IP
> based as with a vanilla IP firewall. It could be easier to deploy
> something like this quickly without having to identify security
> domains, and with less fear of breaking stuff. Note, I see this
> as additional to, and not a substitute for, the hard analysis
> which you describe below. But it may be a substitute for doing
> nothing in the meantime?
> Just a few thoughts. What do people think of this?
You may be thinking within a box. If you approach the situation on the
basis of how you apply firewalls to provide internal security, your
approach is valid but there are other ways you could probably achieve a
If you read my book (if you dont want to buy a copy you should be able to
access at a library, - title, imprint, ISBN, and LoC CICS details below in
signature) there are suggestions on how you can employ technology to
provide access to all authorised people within a building or a larger site.
Thats from a risk management perspective and there are suggestions on how
you can apply a similar approach to electronic information systems.
If you employ a series of internal firewalls, you are applying denial. That
may be fine for some users and it comes back to analysis of risk to know
what is most appropriate. However, you can apply technology in a risk
management approach to introduce empowerment and in most cases that is a
significantly more cost effective way to go.
What daunts most organisations is the visible up front cost (even the cost
of doing a real risk analysis).
The precise technology set is unique to each case. The reason for that is
the diverse nature of internal networks. Technically, it is entirely
possible to field a complete trusted environment which provides very high
levels of assurance, integrity and availability through risk management
technology which is almost completely invisible. If cost is measured rather
than price, this is usually the lowest cost solution.
This approach may require many changes which have to be introduced
progressively over a period of time, but it works very well in providing
maximum access to authorised users at every level of the environment from
files up, at minimum acceptable risk. It provides high levels of integrity
because it audits all activities and identifies who did what, where, when,
and how. That auditing may make it practical in some systems to allow most
people access to most of the resources (after all no access denial system
is 100% effective but risks are reduced if a successfull intruder can be
tracked and identified and the level of access/damage identified). It
reduces risk management overhead because it allows each element to receive
the level of protection it requires and no more. It will allow greater
productivity and lower cost of ownership than a security approach where
protective measures are coarsely applied with high overheads and high
This approach basically does much what has been done for a great many years
with other pre-electronic information systems so its not exactly rocket
In starting the process it may be that a particular organisation starts
applying technology first not to the electronic information systems, but to
other areas of the enterprise. The reason for that is that an
enterprise-wide approach may show that risk reduction can be most rapidly
applied within available budget by addressing (for example) personnel and
training issues first and then introducing measures progressively to the
electronic systems as elements are due for replacement.
Provided that you have your master plan (and dont forget to keep
updating it to match the current situaion) that can be very effective when
electronic systems have such a short life and the price of buying well
produced product is not much more than the price of crap and is actually a
much lower cost, provided of course that you have worked out a real
One simple example of zero risk management is the use of copying machines.
Before they became available it was a real pain to type multi-part
documents with carbon paper or use stencils on duplicating machines and so
the number of copies of a document issued was kept as low as possible. The
office copy machine changed that in most organisations to the stage where a
great many people received copies they do not need. As usage increased,
enterprises bought bigger faster machines and more of them and reduced
supervision to the point today where virtually anyone can go and make
however many copies they want of any document (including copies for family
and friends). Very few enterprises have ever analysed why the demand for
copying documents has increased and provided only the resources necessary
to achieve enterprise objectives.
We are now applying the same lack approach to internationally networked
data. Where someone decides that a firewall is essential for security, the
large bandwidth path out of the enterprise may still be the humble
photocopy machine. Its also usually far easier to penetrate a company from
within and the greatest risks are still generated by employees, usually
through human error and bad training.
Ian Johnstone-Bryden, Rayzarb Associates
Tel: +44 (0)1986 782418
Fax: +44 (0)1986 782525
Email: gq50 @
Latest book by Ian Johnstone-Bryden
"Managing Risk", Avebury Imprint
ISBN 1 85972 255 5
Library of Congress CICs No. 95-79002