Firewalls: RE: sex, lies, and firewall code

Firewalls
(October 1997)

Indexed By Thread: [Previous] [Next]

Subject:	RE: sex, lies, and firewall code
From:	"Craig S. Wright" <craig . wright @ asx . com . au>
Date:	Wed, 22 Oct 1997 06:59:28 +1000
To:	Jyri Kaljundi <jk @ stallion . ee>, "Firewalls @ GreatCircle . COM" <Firewalls @ GreatCircle . COM>, "'Eric Vyncke'" <evyncke @ cisco . com>

>Authentication and confidentiality are more for VPN Virtual Private
>Network than for firewalls. IPsec with X.509 certificates is becoming
>available for nearly all firewalls nowadays, this will solve the
>authentication/confidentiality problem.

	Why should it stop at the VPN. Most attacks are internal. The overhead to exchange keys on "modern" machines is low. Why stop at the firewalls. At least cover all the servers if not workstations. 
	The next thing is that IPsec on firewalls with X.509 does not solve all the problems. X.509 amy specify a null-null-null MAC/encryptor. If the internal network uses PCKS#x signed packets the firewall must just allow them through. Either that or we religate users to clear text again.
	X.509 with IPsec will start to help when the firewall/gateway is not a classical firewall, but an encryption gateway that even if it passes clear information to the world (is someone looking at your web server), still encrypts all internal traffic.

	Finally, all this is do-able now. The overhead is low. Cost is not great. 

Craig S. Wright




----------
From: 	Eric Vyncke
Sent: 	Wednesday, October 22, 1997 2:10 AM
To: 	Jyri Kaljundi; Firewalls @
 GreatCircle .
 COM
Subject: 	Re: sex, lies, and firewall code

At 15:54 21/10/97 +0300, Jyri Kaljundi wrote:
>
>Sun, 19 Oct 1997, Craig S. Wright wrote:
>
>>         When there is finally a gateway product that has full
>> authenication = based on digital certification. That links to all
>> machines in the = domain. That does a host AND user authenication
>> simultaneously. 
>
>Yes, I believe also this is the future way to go. Every PC using
>transparent encryption to the firewall, using strong encryption and strong
>authentication methods between each of them. Preferably so, that every
>user has their certificate or key for that matter on a smart card (or
>floppy, whatever) and they have their rights and policies going through
>the firewall connected to the identity stored on the smart card. 

Authentication and confidentiality are more for VPN Virtual Private
Network than for firewalls. IPsec with X.509 certificates is becoming
available for nearly all firewalls nowadays, this will solve the
authentication/confidentiality problem.

But you still have to fight against:
- DoS: ping 'o death, OOB, SYN attack
- contents filtering: URL, java applets, ...
- ...

Just my 0.25 BEF to add to the discussion ;-)

-eric

>
>Jyri Kaljundi
>jk @
 stallion .
 ee
>AS Stallion Ltd
>http://www.stallion.ee/
>
Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke @
 cisco .
 com          Mobile: +32-75-312.458

Follow-Ups:

RE: sex, lies, and firewall code
From: "Paul D. Robertson" <proberts @ clark . net>

Indexed By Date	Previous:	[no subject] From: Janet Stucchi <jstucchi @ bbnplanet . com>
Indexed By Date	Next:	Info From: "Flavio Marcelo C. B. do Amaral" <flavio @ ganimedes . pop-rn . rnp . br>
Indexed By Thread	Previous:	Re: sex, lies, and firewall code From: gary flynn <gary @ habanero . jmu . edu>
Indexed By Thread	Next:	RE: sex, lies, and firewall code From: "Paul D. Robertson" <proberts @ clark . net>