>"If systems in a company's network use challenge/response
>authentication and password encryption for all connections
>(such as where NT is headed), there isn't justification for a
>firewall anymore. Traditional Firewalls are designed for UNIX
>environments where plaintext or unprotected applications live,
>such as telnet/ftp/smtp/popmail/xwindows."
*
If the idea is that you're going to generate a challenge for every
attempted connection to a listening port (internal and external), your
machine is going to be generating a lot of challenges. If you're not
going to generate a challenge for some ports, say, like SMTP or DNS,
then what's protecting you? I seriously doubt that strong
authentication could be added to SMTP in the foreseeable future as a
useable feature outside of your own domain and a few, select,
recipients. In 25 years we haven't been able to come to terms with a
"standardized" way of authenticating POP3 clients that's got wide
acceptance, so SMTP is even farther away. Sure, I will soon be able to
have encrypted channels between MS Exchange servers that are within my
control, and a way to do encrypted sessions between other MSX servers
that are not in my control. Great, but what about Notes sites, or
Sendmail sites, or the millions of sites that end up as X.400...I
seriously doubt any standardized authentication mechanism can be widely
adopted any time soon.
*
Verisign still expects people to pay $6/year, or whatever it is, for a
personal certificate to identify themselves. How many people do you
think are going to buy into that sort of license plate? If we don't
have some unique identifier for everyone, then what use is strong
authentication on a world-wide scale. So if I'm only using it for my
people, I have the rest of the world to protect against. At the same
time, I may want to let the rest of the world into an aspect of my
network (i.e. my webserver) yet protect it from all those unlicensed
surfers. Without a Firewall, how do I do that?
*
Then there's the issue of proxies. Just because my sales rep is
carrying around his CHAP card doesn't mean I want him to be able to do
anything from anywhere. Imagine that the phone booths of today are
converted into email display terminals (copyright 1996 Russ Cooper). I
walk up, insert my CHAP card, it automatically connects me to my site's
SMTP server in a secure fashion (copyright 1996 Russ Cooper). I've been
authenticated, validated, and have access to my email. But hey, that
guy (duh @
cyberwar .
com), he went and stuck his line into the phone booth
and mucked about with the phone booth's email program (copyright 1996
duh). It's trying to do all sorts of things to my SMTP server, but
since I've got no proxies between the booth and my SMTP server, its
wailing away and his Linux box is humming with news from my corp.
*
My point is, without strong proxies and a buffer zone between the
"entity" and the "resource", tings might happen you don't
like...;-]...Even if the "resource" is smart enough to know not to let
bad tings(tm) happen, their happening right there at the resource, and
that's a bad ting(tm) no matter what it is.
*
Nope, strong authentication is a very good and necessary component of a
Firewall, no doubt, but it doesn't replace what a Firewall does no
matter why Firewall's were created.
*
By the way, NT is heading every which way at once, and their moving
fast in every direction, and I think that's great. But when it comes to
security, the only place NT is heading is after the tail end of
everything else. Unixen have had strong authentication, CHAP, and
encrypted passwords, Kerberos, and still they see the need for
Firewalls. They've also had encrypted sessions (ala SSH), and still
they see the need for Firewalls. They've even had MLS and packet
labeling, and STILL they see the need for Firewalls. So just who was it
at Microsoft who said that Firewalls wouldn't be needed in the
future?...;-]
*
>Hmm. Maybe next-generation firewalls will need to look at
>application/RPC transactions that desktop/server PCs use
>instead of just network port number traffic.
*
Definitely, there's no doubt about that, but of course that's what
application proxy servers have been doing all along. They don't care
about the port their assigned to, its the application that matters (of
course they can be designed such that they will only allow that
application on a specific port, but that's not mandatory in proxy
design). The use of HTTP is going to force better proxies. I would have
thought that somebody would have an RPC proxy by now, since Unixen
having been using it for some time. Personally, I'd say we'll see proxy
generation become part of the application development environment
(copyright 1996 Russ Cooper), you know, you write some stupid little
network application in VB8.0 and it simultaneously generates the proxy
for it...;-]...oh pity the poor Firewall Administrator in those days
(User:"What do you mean you can't allow this through the Firewall,
here's the automatically generated proxy right
here!"...Gatekeeper:"Umm, yes, but......")
*
I think a lot of vendors are doing great things with NT and Firewalls,
but I think there should be a moratorium on talking about Microsoft's
ideas of security until they put an SMTP proxy into MS-Proxy Server
(not in a beta, but a production release). Oh yeah, and nothing more
until they fix NETSTAT. Yeah, time to put our foot down. Besides, by
that time we might get the same answer from 3 out of 10 Microsoft
people instead of the current 2 out of 10.
*
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security Consulting
mailto:Russ .
Cooper @
RC .
on .
ca <-- *note the new address*
|
|
