Great Circle Associates Firewalls
(November 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: Firewall future
From: sedayao @ argus . intel . com (Jeffrey C. Sedayao)
Date: Tue, 12 Nov 96 14:06:45 PST
To: bill . stout @ hidata . com (Bill Stout)
Cc: Firewalls @ GreatCircle . COM
In-reply-to: <2 . 2 . 32 . 19961112195026 . 0124f8b8 @ osc . hidata . com> from "Bill Stout" at Nov 12, 96 11:50:26 am 
> I didn't get any flame for stating; a dual-subnet attached NT webserver
> was an O.K. solution, where one can't get past the TCP/IP NT system 
> onto a NETBEUI/IPX network unless the webserver had access to internal 
> systems.  Hmm.
 
> Let me make another statement:
> "If systems in a company's network use challenge/response authentication 
> and password encryption for all connections (such as where NT is headed), 
> there isn't justification for a firewall anymore.  Traditional Firewalls 
> are designed for UNIX environments where plaintext or unprotected 
> applications live, such as telnet/ftp/smtp/popmail/xwindows."
 
I would say that this is not true, for the following reasons.

1.  Password encryption isn't enough.  If you encrypted all connections, 
(not just passwords going by) it would be much better.  Someone outside 
could still work their way in (social engineering for a password), set up 
a sniffer somewhere, and still get good information.  You have to encrypt 
actual connections, not just passwords.  

2.  Firewalls can be useful for blocking denial of service attacks.
Even with password encryption and challenge/respose, you could still be
vulnerable to those.

3.  Firewalls are very useful for tracking what your internal users are
doing or blocking them from doing things.  Your management may declare
certain web servers off limits or demand to know what your users are
looking at on the Internet.  It is much easier to make changes or look
at logs on a few firewall systems rather than look on each of 10,000 
systems within your company.  Imagine if one of your users starts
cracking other companies through the Internet.  

4.  Belts and suspenders - I would argue that you still want to use
firewalls to create trust domains around a corporation/organization and 
witin that corporation/organization.  Administrators are human and will make 
mistakes - you don't want the whole Internet to capitalize on a mistake made 
in configuring trust relationships on systems.

> Hmm.  Maybe next-generation firewalls will need to look at application/
> RPC transactions that desktop/server PCs use instead of just network port
> number traffic.
 
Yes.

> (opinin ping)
> 
> 
> Bill Stout
> _______________________________________________________________________________
> Senior Systems Admin  NT/Backoffice/Solaris/WWW-Db/Firewalls/Cisco/VM-UNIX/VMS
> Hitachi Data Systems  408-970-4822   ---  Disclaimer:  I speak only for myself
> 
> 


-- 
Jeff Sedayao
Intel Corporation
sedayao @
 argus .
 intel .
 com
References:
Indexed By Date Previous: Re: Firewall future
From: "Paul D. Robertson" <proberts @ clark . net>
Next: RE: Firewall future
From: Gene Lee <genel @ inforamp . net>
Indexed By Thread Previous: Re: Firewall future
From: Peter Gubanov <peter @ elecard . tomsk . su>
Next: Re: Firewall future
From: Frederick M Avolio <avolio @ tis . com>
Google
 
Search Internet Search www.greatcircle.com