On Wed, 13 Nov 1996, Bill Stout wrote:
> Kicked off a lot of brain CPU cycles with that post. Good.
> I reworded a statement made by management and programers in an
> understandable format. I've been asked; "Why would we need a
> firewall if my peer-to-peer connection is secure?". I do get
> strange looks when I reply, "Uh, centralized control?". That
> answer does not justify a $15K purchase in some circles. Another
> challenge feeding this is Microsoft Marketing 'You don't really
> need a firewall, NT is secure' mentality.
If everyone has the firewall function on their machine, everyone takes the
function of security chief. The result is basically NO security.
Your organization is much better off with a qualified security
person/organization and specialized equipment. Do the Police us CB
radios? No, they have Police Band equipment. Is anyone allowed to grab a
gun and go on patrol? No, you must have special training, be qualified
and identified as a Police Officer.
An example that may make much more sense is to compare it to backups. Is
it better to give everyone a 2 Gig hard drive and a 2 Gig tape drive and
expect them to handle proper backups of all their data OR should the
organization centralize that function/equipment? This works best if a
power user has recently lost some data worth a few million bucks and your
central backup system bailed the company out BIG TIME.
> I will be the last to say NT Network Security is tight, even
> though they are implimenting tighter authentication and encryption.
This is only part of security. Security can be disabled without breaking
authentication or encryption. Sessions can be hijacked, passwords can be
stolen, physical access can occur.
> For example, I think one can break into administrative shares
> without needing passwords on NT internet webservers by simply sweeping
> through SMB UIDs for previously cached \c$ connections (more homework
> to follow) and I'm guessing most NT IIS boxes on the web do have
> shares/server service running. I also think firewalls will need
> to deal with stronger client application authentication and encryption.
> Part of me also thinks that moving firewall functions to the
> desktop is like moving from 'castle wall' perimeter security to
> more modern building 'doorlock' security, but admittedly it won't
> protect 'the network' against oversize or syn packet attacks, or
> users installing insecure services.
Even with door locks, there is someone in the lobby during business hours
monitoring who is given free access to the place. Can you say "visitor
> Next I'll need protection from ISPs who raise their T1 rates 30%,
> and only send a letter to accounts payable, not the domain contact.
> Though I won't mention Internex's name (Jab).
Natasha: Black RX-7 R1