Firewalls: Review: "Safely Connecting to the Internet" Internetwork 7/95

Firewalls
(July 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Review: "Safely Connecting to the Internet" Internetwork 7/95
From:	NetSurfer <netsurf @ pixi . com>
Date:	Mon, 24 Jul 1995 20:32:55 -1000 (HST)
To:	firewalls @ greatcircle . com
Cc:	73204 . 340 @ compuserve . com, birkheadec @ box101 . cardinal . com
In-reply-to:	<9507202102 . AA19029 @ ig2 . att . att . com>

I was perusing through Internetwork magazine 7/95 issue and came across a 
brief Security/Firewall article that among other things recommends NT for 
a "fire containment facility."  I thought you might find a couple of 
quotes interesting, as the author, Steve Lopez, advises the readers on 
Internet security.  Interestingly enough, he doesn't appear to have his 
own host on the net, as his email address is on Compu$erve.  Considering 
the recent discussions of the problems involved with using NT as a 
bastion host, it seemed timely.

Mr. Lopez first observes that the first solution to Internet security is 
to remove Unix from the picture.  To quote: "Think about it, alomst every 
documented security breach has occured through some Unix-based system.  
Therefore, would it not make sense to base an Internet connection on a 
more secure operating platform?"  He goes on to state that "A bastion 
host running Windows NT or OS/2 is a very good start."

He argues "No operating system is 100 percent secure, but any one of 
these examples is less likely to have as many exploitable security holes 
because the source code is privately controlled and commercially sold."

Sounds like "security by obscurity."

His novel creation is not a firewall, but a "fire containment facility", 
which rather than having a DMZ has a "dirty area."  His description:  
Instead of directly connecting the bastion host to the Internet router, 
connect an SNMP managed ethernet concentrator on the router.  By doing 
this you create a "dirty area." that might be better contained and 
managed.  He concludes that "by connecting the bastion host to the 
concentrator instead of the router, the chances of direct attack on any 
hosts connected to the concentrator are lessened, since the router will 
take the hit and not any of your Internet hosts.  The worst case scenario 
is that you might have to reset your router after a possible attack"

I included Mr. Lopez on the message thinking perhaps he might benefit 
from the observations/comments of some of the experienced security types 
on this list; if you want him to get your response be sure his address is 
included...

-NetSurfer
#include <standard.disclaimer>

Follow-Ups:

Re: Review: "Safely Connecting to the Internet" Internetwork 7/95
From: peter @ nmti . com (Peter da Silva)
Re: Review: "Safely Connecting to the Internet" Internetwork 7/95
From: forrest d whitcher <fw @ world . std . com>

References:

Re: Performance tools and data collection
From: mdr @ vodka . sse . att . com

Indexed By Date	Previous:	Re: Firewalls-Digest V4 #437 From: "John A. Young" <lawnyc @ panix . com>
Indexed By Date	Next:	Re: enabled keyword vs. firewall-1 From: nir @ checkpoint . com (Nir Zuk)
Indexed By Thread	Previous:	Re: Performance tools and data collection From: paul @ hawksbill . sprintmrn . com (Paul Ferguson)
Indexed By Thread	Next:	Re: Review: "Safely Connecting to the Internet" Internetwork 7/95 From: forrest d whitcher <fw @ world . std . com>