From: frantz@netcom.com (Bill Frantz)
Date: Wed, 24 Jan 1996 11:36:54 +0800
To: frankw@in.net>
Subject: Re: IPSEC == end of firewalls
Message-ID: <199601240125.RAA07818@netcom6.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At least maybe I can avoid Perry's wrath for an off topic post :-).

At 15:01 1/23/96 -0500, Perry E. Metzger wrote:
>You can't "firewall" every machine -- the act is meaningless. A
>Firewall is a filter designed to protect you from bugs in the setup or
>implementation of the software on the machines on the inside. What
>would it mean for a machine to have "firewall software" in the
>operating system? Systems already attempt to prevent unauthorized
>access -- the reason you have firewalls is because that software is
>sometimes buggy. "Firewall software" in the OS is a meaningless
>concept.
>
>Perry

I agree that firewalling every machine would be extreemly difficult with
Unix based systems (including MSDOS and MacOS) because so many usefull
hacker tools are available from root and everyone has access to root.  With
systems that provide better isolation, it becomes possible to dedicate the
network interface to the protection domain which is running the firewall
code.  You also need to divide up the administration so the direct user
does not break that isolation.

BTW, IBM's VM/370 (and successors) has good isolation and could probably
perform in this role.  Other systems such as KeyKOS
(http://www.webcom.com/~agorics/) and EROS (http://www.cis.upenn.edu/~eros)
certainly could.


-----------------------------------------------------------------
Bill Frantz                   Periwinkle  --  Computer Consulting
(408)356-8506                 16345 Englewood Ave.
frantz@netcom.com             Los Gatos, CA 95032, USA