From: David Mazieres <dm@amsterdam.lcs.mit.edu>
Date: Wed, 24 Jan 1996 05:35:28 +0800
To: cypherpunks@toad.com
Subject: Re: IPSEC == end of firewalls
In-Reply-To: <9601231159.AA27033@su1.in.net>
Message-ID: <199601231939.OAA29475@amsterdam.lcs.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain


I once worked for a company where to get an outbound telnet connection
or to put a file with ftp, you needed to go through a gateway which
required us to use a hardware device to participate in a
challenge/response authentication scheme.

While this may be extreme, it points out a use of firewalls people
seem to be ignoring in this descussion:  enforcing policy.  Most
employees will have physical access to the network, and physical
access (=root privileges) to their workstations.  If you want to
enforce a policy of "no http servers, ftp servers, or anything else",
you can't allow any incoming Syn packets.  If you don't want to trust
every single person to configure his/her workstation to reject Syn
packets from outside, you need to do the filtering where most people
can't bypass it.

Now replace Syn above with whatever TCP/IPv6 uses, and the same will
hold.

That said, I hate firewalls.  I find being behind a firewall
incredibly painful.  I hope firewalls do die with IPv6.

David