From: Ben <adept@minerva.cis.yale.edu>
Date: Wed, 24 Jan 1996 01:33:49 +0800
To: Den of CryptoAnarchists <cypherpunks@toad.com>
Subject: Re: IPSEC == end of firewalls
In-Reply-To: <9601231159.AA27033@su1.in.net>
Message-ID: <Pine.SOL.3.91.960123105209.19188B-100000@minerva>
MIME-Version: 1.0
Content-Type: text/plain


> functionality of most firewalls would eventually be an add-on application 
> option for Operating Systems and that eventually it will be a standard 
> part of every Operating System.  Until then, we have to punt & keep using 
> firewalls.  

I'm not so convinced that adding 'firewall functionality' to an OS is 
such a good idea.  The idea behind having a firewall is that 
	*	You have a hardened host that has been stripped of
		anything that could be used by an attacker to compromise
		other systems
	*	You have a single machine that serves as the sole port of
		entry into your domain.  By keeping your defense perimeter
		nice and small it makes it manageable to maintain.  

When you start trying to swtich firewall functionality to an OS you lose 
both these advantages.  You no longer have a system that is stripped of 
compilers, scripting languages, etc, and you now have a much larger 
security perimeter.

Ben.
____
Ben Samman..............................................samman@cs.yale.edu
"If what Proust says is true, that happiness is the absence of fever, then
I will never know happiness. For I am possessed by a fever for knowledge,
experience, and creation."                                      -Anais Nin
PGP Encrypted Mail Welcomed        Finger samman@suned.cs.yale.edu for key
Want to hire a soon-to-be college grad? 		Mail me for resume