> I didn't get any flame for stating; a dual-subnet attached NT webserver
> was an O.K. solution, where one can't get past the TCP/IP NT system
> onto a NETBEUI/IPX network unless the webserver had access to internal
> systems. Hmm.
> Let me make another statement:
> "If systems in a company's network use challenge/response authentication
> and password encryption for all connections (such as where NT is headed),
> there isn't justification for a firewall anymore. Traditional Firewalls
> are designed for UNIX environments where plaintext or unprotected
> applications live, such as telnet/ftp/smtp/popmail/xwindows."
I would say that this is not true, for the following reasons.
1. Password encryption isn't enough. If you encrypted all connections,
(not just passwords going by) it would be much better. Someone outside
could still work their way in (social engineering for a password), set up
a sniffer somewhere, and still get good information. You have to encrypt
actual connections, not just passwords.
2. Firewalls can be useful for blocking denial of service attacks.
Even with password encryption and challenge/respose, you could still be
vulnerable to those.
3. Firewalls are very useful for tracking what your internal users are
doing or blocking them from doing things. Your management may declare
certain web servers off limits or demand to know what your users are
looking at on the Internet. It is much easier to make changes or look
at logs on a few firewall systems rather than look on each of 10,000
systems within your company. Imagine if one of your users starts
cracking other companies through the Internet.
4. Belts and suspenders - I would argue that you still want to use
firewalls to create trust domains around a corporation/organization and
witin that corporation/organization. Administrators are human and will make
mistakes - you don't want the whole Internet to capitalize on a mistake made
in configuring trust relationships on systems.
> Hmm. Maybe next-generation firewalls will need to look at application/
> RPC transactions that desktop/server PCs use instead of just network port
> number traffic.
> (opinin ping)
> Bill Stout
> Senior Systems Admin NT/Backoffice/Solaris/WWW-Db/Firewalls/Cisco/VM-UNIX/VMS
> Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself