Firewalls: Re: Info World Firewall Articles

Firewalls
(August 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Info World Firewall Articles
From:	Steve Kotsopoulos <steve @ ecf . toronto . edu>
Organization:	University of Toronto, Engineering Computing Facility
Date:	Thu, 8 Aug 1996 17:30:58 -0400
To:	firewalls @ greatcircle . com
In-reply-to:	<2 . 2 . 32 . 19960807210742 . 00697ca4 @ earthlink . net>

jminie @
 earthlink .
 net wrote:
>We're aware of how insecure UNIX is natively.  The point here is that a
>firewall should be as close to 100% secure as possible out-of-the-box,
>removing the possibility that human intervention (or human NON-intervention,
>for that matter) doesn't create or allow ANY holes for ANY length of time.
>
>A couple of UNIX-based firewall vendors DO address the issue of the
>non-secure kernel.  If kernel insecurity is addressed at the vendor level,
>(i.e. - the guys making the money) the argument about customer-level
>'professional' versus 'scanner' firewall users should be non-existent.  I
>truly believe in the concept that, without a hardened kernel there is no way
>to guarantee a truly secure firewall.

I agree. Here are my new definitions, which may be of use to others:

A 'firewall' is a system that if configured correctly by professionals
 (who have read all the manuals from cover to cover), and notwithstanding
 hardware or software bugs or problems, protects your network.

A 'good firewall' is a system that protects your network.
 It must have defense in depth, so that in the event of a failure (such
 as after the discovery of new bugs), other mechanisms will protect you.
 It must have a fail-safe design, for protection in the event of
 hardware/software problems or administrative errors. Instead of letting
 attackers in when there is a failure, fail-safe systems deny access to
 both attackers and legitimate users. Failure to read the manual may result
 in you not being able to turn a service on, instead of the service being
 wide open without protection, and possibly making your internal network
 vulnerable.

If I wanted to protect my network, I would buy a 'good firewall'.

Since so many people wanted to talk about the necessity of completely
reading the manuals, I searched the FireWall-1 web site to see what
they had to say about it. The closest I could find was the "Ease of Use"
paragraph at http://www.checkpoint.com/brochure/page10.html
It starts with  "FireWall-1 was designed to be easily installed,
configured and managed.", then talks about the easy to use GUI,
and the integrity checking that reduces the chance of operator error.
I couldn't find any mention of a manual.
-- 
Steve Kotsopoulos  M.Eng.                         steve @
 ecf .
 toronto .
 edu
Systems Analyst   Engineering Computing Facility, University of Toronto
http://www.ecf.toronto.edu/~steve/

Follow-Ups:

Re: Info World Firewall Articles
From: char <csample @ v-one . com>

References:

Re: Info World Firewall Articles
From: jminie @ earthlink . net

Indexed By Date	Previous:	Book on Policy and law From: Peter Morrissey <ppmorris @ syr . edu>
Indexed By Date	Next:	Re: Book on Policy and law From: "Henry W. Farkas" <hfarkas @ ims . advantis . com>
Indexed By Thread	Previous:	Re: Info World Firewall Articles From: jminie @ earthlink . net
Indexed By Thread	Next:	Re: Info World Firewall Articles From: char <csample @ v-one . com>