I recently spent several hours (yes hours!) on the phone discussing the
relative merits of my "stupid firewall philosophy" with a gentleman
representing a company implementing secure financial services on the
Internet. His service, if I understood correctly, was based on
(something like?) SWIFT which has been in use in Europe for 15-20 years
by many large financial institutions and therefore was not going to be
changed quickly if at all.
My firewall was stupid (based on fwtk) because it put proxies in bewteen
my inside hosts and external servers. Furthermore, any firewall that did
any sort of network address translation or proxying was brain-dead. (My
interpretation of his statements).
Why? Because his software passed an identifying "ticket" with every
packet. This ticket comprised an encrypted date+time, the IP address of
the client machine and some other stuff. When the server saw a packet
from a host whose IP address did not match that in the ticket, alarm
bells would sound and the fraud squad would be on the door step within
When I suggested to him that 80% (just guessing, so be nice to me) of
the firewalls outside of the financial world use NAT and or proxies he
scoffed at the prospect, suggesting that people using such stupid
technologies were going to miss out on the upcoming revolution about to
hit the Internet with secure financial transactions that would not work
through such firewalls. He also mentioned the "new Microsoft software"
several times (anyone know which?).
Does anyone have any comments on this guy's philosophy, or mine for that
matter? I would especially like to hear from anyone who's been following
the development of secure financial transactions (SET comes to mind,
right track?) and how these systems are expected to operate through
"stupid firewalls" like mine.