>From: "Marcus J. Ranum" <mjr @
>Date: Fri, 5 Apr 1996 10:06:20 -0500 (EST)
>Subject: What layer?
>>I was at a seminar presented by Stuart Holoman, Holocon Inc.
>>yesterday, and he said firewalls are not effective/implementable
>>below the session layer:
>>I don't know if he was speaking in abstract terms (e.g., not many
>>people know how to make them effective).
> He was probably either speaking in abstract terms, or he
>didn't know what he was speaking about. "Experts" are certainly
>crawling out of the woodwork these days, and it seems that the
>main qualification for teaching seminars on firewalls is to FTP
>my old viewgraphs from the 'net, read C&B and C&Z, and start to
>make grand pronouncements. :)
You have to know Stuart to understand his position on this. He takes the
position that any form of access control (including firewalls) can be
subverted. He says that the only real security is encryption. While I
think this is really just part of the story, it's interesting food for
thought. In my next column for InfoSecurity News I explore a practical
implementation of his theory. Also, when Stuart lectures he tends to be
provocative on purpose to stimulate discussion and thought. I don't
completely agree with him, but his points are certainly worth exploring and,
for the many who are just beginning to feel their way in this environment,
it's these types of issues that require consideration.
As for being an "expert" and the rest of your indictment, in his defense I
would like to point out that Stuart has been in the infosec business for a
long time, has been teaching and lecturing for many years and was involved
directly in the development of the ethernet standard. He has an
international reputation as a consultant among the business community.
While he is not what I call a "back room guru" (those who develop the new
software, products and theories that those of us on the firing line depend
upon for our success) he is an extremely competent security consultant and
teacher. As I said, I don't always agree with Stuart, but he always makes
Peter Stephenson, Division President, InfoSEC Technologies
division of Sanda International Corp.
Headquarters Operations Center
401 Pinehurst Drive 590 Lipoa Parkway Ste 208
Rochester Hills, MI 48309 Kihei, Maui, HI 96753
(810) 650-2699 phone World Wide Web:
(810) 375-2717 fax http://www.versalink.com