1996-01-23 - Re: IPSEC == end of firewalls

Header Data

From: Frank Willoughby <frankw@in.net>
To: perry@piermont.com
Message Hash: 3feaa4a7b491f40fafc06acd38b9faedbcc30ebf83a0aece1480520291852200
Message ID: <9601232209.AA29864@su1.in.net>
Reply To: N/A
UTC Datetime: 1996-01-23 23:45:37 UTC
Raw Date: Wed, 24 Jan 1996 07:45:37 +0800

Raw message

From: Frank Willoughby <frankw@in.net>
Date: Wed, 24 Jan 1996 07:45:37 +0800
To: perry@piermont.com
Subject: Re: IPSEC == end of firewalls
Message-ID: <9601232209.AA29864@su1.in.net>
MIME-Version: 1.0
Content-Type: text/plain


At 03:01 PM 1/23/96 -0500, you wrote:


>Frank Willoughby writes:

Egads.  Let's take this off-line & stop bothering the cypherpunks 
folks with this discussion.  Those not interested in this thread
are kindly requested to hit the <delete> key now.  Thanks.  8^)


>Yes, certainly. You can bribe someone, get physical access to
>machines, etc.
>
>However, unless you know a way to crack RSA, it is unlikely that
>a system using Photuris+IPsec will permit IP spoofing.


I re-iterate, any system can be gotten around - and frequently will.
As far as IPsec goes, it is probably just a matter of time before we 
see the first CERT Advistory (maybe in a couple of years) on this.
Nothing is invincible.


>
>> The creativity of hackers is succeeded only by their motivation and
>> ability to put many hours into trying to solve a problem.  Including
>> the word "probably" was deliberate.  Kerberos was also thought to be
>> secure - 'til it was compromised.
>
>Kerberos was compromised? When? By whom? Are you talking about
>Bellovin's paper on weaknesses in Kerberos (most of which are
>avoidable or fixed in K5), or are you talking about a real break? If
>the latter, its the first that I've heard of it.

Actually, I was refering to Bellovin's paper.  Surely you don't think
that the bugs that were discovered are the only ones which can be 
exploited and that Kerberos (or any other software product) is invincible?
I don't.  


>> >> I suspect even when firewalls are embedded in the O/S,
>> >
>> >That would be somewhat meaningless. The point of a firewall, as others
>> >here have noted, is that it is easier to secure one machine than five
>> >hundred or ten thousand.
>> 

Of course it is easier to secure one machine that 500 or 10K.  However,
NOT securing the 500 or 10K systems still leaves them vulnerable to 
network attacks.  Providing the O/S with rudimentary firewalling 
capabilities helps to increase the security of those systems.  Like 
many of my colleagues in the Information Security field, I have 
(grossly) modified/hacked/butchered my systems to provide the system
with some rudimentary firewalling capabilities and the extra security
I needed.  In many cases, it meant taking advantage of strange behaviours 
of the systems to achieve the capabilities & results I wanted.



>> I disagree here also.  Systems by themselves are fairly useless.
>> Their power (and main vulnerability) comes from their ability to
>> network with other systems.  A system connected to a network is
>> vulnerable.  The fact that a corporate firewall protects the system
>> from the Internet in no way decreases the vulnerability of that
>> system (and other systems) from *internal* attacks which can be as
>> devastating as an Internet attack.
>> 
>> Including firewall capabilities as part of the Operating System's network
>> applications would help the system protect itself from abuses from the 
>> Internet - as well as from internal.
>
>These last two paragraphs are gibberish.
>

Beats me.  They make sense to me.  What part about Information & Network
Security don't you understand?  These are fairly basic concepts.  I can
go explain these concepts either in another forum or off-line via e-mail 
or phone (your dime, my time), but not here.  This is the cypherpunks 
mailing list, not the firewalls mailing list.


>You can't "firewall" every machine -- the act is meaningless. A
>Firewall is a filter designed to protect you from bugs in the setup or
>implementation of the software on the machines on the inside. What
>would it mean for a machine to have "firewall software" in the
>operating system? Systems already attempt to prevent unauthorized
>access -- the reason you have firewalls is because that software is
>sometimes buggy. "Firewall software" in the OS is a meaningless
>concept.
>

Perhaps this is where you are getting mixed up.  A firewall isn't 
just a box which you plug into a network between the company's WAN
and the Internet - it's a capability.  Many "firewalls" are systems
which implement this capability.  The main characteristics of the
firewall are (paraphrasing rather liberally from Steve Bellovin's 
book):

o The firewall is designed to protect an entity from a particular
   network connection.  Usually, we think of the entity as being
   another network.  In this particular case, we are putting in a
   firewall (or the ability to filter out what we don't to deal 
   with) on the O/S itself to reduce the risks of potential attacks
   from a network (internal LAN, Internet, etc).

o All traffic from the insecure network has to go through the firewall.
   Logical.  If the "firewall" is a piece of software which is installed
   on the O/S to "filter out" certain network connections, then we have
   "firewalled" our system.

Commercial firewall products such as: DEC's DECseal, Raptor's Eagle, 
V-ONE's SmartWall, etc, actually provide two levels of protection:  

1) They protect the internal network from hazards of the Internet 
    (or untrusted network)
2) The protect themselves from hazards of the Internet or other 
    untrusted network (such as the internal LAN)

Implementing a firewall as part of an O/S provides the protection 
mentioned in point number 2: It protects itself from the internal 
LAN to some degree.  Granted not as much as it possibly can, due 
to the fact that you have users & applications on the system which
aren't secure, however, an added measure of protection will be 
provided to the system.


>Perry


Perry, (and others who may be interested in this thread) 

This is my last mail on this thread in this list.  If you or others 
would like to discuss this further, please feel free to send me an 
e-mail directly or join me in discussing this in the firewalls mailing 
list.


Fellow cypherpunks,
I'm sorry about the bandwidth used in responding to Perry's question.
Unfortunately, it was addressed to the list and required a response
from me.  Thanks for your patience.

Back to the subject at hand (cryptography)


Best Regards,


Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800   - http://www.fortified.com/fortified/

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.






Thread