|
Subject: |
Re: HannaH from SecureWare Inc. |
|
From: |
mulligan @
future .
incog .
com |
|
Date: |
Fri, 01 Sep 1995 12:03:49 -0600 |
|
To: |
Charles Cooley <cooleycd @
jmu .
edu> |
|
Cc: |
Alan Hannan <alan @
mid .
net>, David Miller <isdmill @
gatekeeper .
ddp .
state .
me .
us>, Gary Flynn <gary @
habanero .
jmu .
edu>, firewalls-owner @
GreatCircle .
COM, firewalls @
GreatCircle .
COM, adm_lcorea @
VAX1 .
ACS .
JMU .
EDU, foxtrot @
sware .
com, oit_cathy @
VAX1 .
ACS .
JMU .
EDU, oit_charles @
VAX1 .
ACS .
JMU .
EDU, oit_dbh @
VAX1 .
ACS .
JMU .
EDU, shan .
bell @
sware .
com |
|
In-reply-to: |
Your message of "Fri, 01 Sep 1995 11:22:21 EDT." <Pine .
HPP .
3 .
91 .
950831210321 .
5188C-100000 @
phillipe .
jmu .
edu> |
|
Reply-to: |
mulligan @
incog .
com |
Charles Cooley wrote:
> While I agree that firewalls are an important defense to provide overall
> site security, it's not enough. The impression that I am getting from the
> two responses to Gary's message, is that firewall and other network security
> are significantly more important than individual host security mechanisms.
A combination of host and perimeter security is necessary. Just because
people install firewalls doesn't mean that they get rid of passwords,
but HannaH does seems to have some design flaws and mentioned in
previous messages.
> I believe that HannaH should be viewed as an alternative to Virtual LAN
> security schemes instead of firewalls and one of the complaints about
> Virtual LANs is maintainability.
As I mentioned earlier, one of the failings of HannaH is lack of support
for IP multicasting which will become much more significant for LANs as
more conferencing, phone, video software is distributed.
> One of HannaH's advantages is that it provides a mechinism to provide
> security based on the identity of a person rather than a host. The old
> Internet concept of host is out of date. Hosts were multi-user systems
> owned and MANAGED by organizations and individual people were
> authenticated by those hosts. With the proliferation of PC class
> systems, many systems connected to networks are single user systems.
> The old assumptions about security (like the "secure" ports below 512/1024)
> can be vary dangerous.
If you assume that the systems connecting to the net are single user
systems, there is no difference between host authentication and
user authentication as long as I have to authenticate myself to the end
system. HannaH also doesn't solve the multiuser desktop problem.
geoff
References:
|
|
