From: Frank Willoughby <frankw@in.net>
To: Simon Spero <ses@tipper.oit.unc.edu>
Message Hash: 11bf7f91a1c92ded1a63c2a5ddc4679ff82dc7b4b6964a04df1a07855571be0f
Message ID: <9601240007.AA06686@su1.in.net>
Reply To: N/A
UTC Datetime: 1996-01-24 02:12:04 UTC
Raw Date: Wed, 24 Jan 1996 10:12:04 +0800
From: Frank Willoughby <frankw@in.net>
Date: Wed, 24 Jan 1996 10:12:04 +0800
To: Simon Spero <ses@tipper.oit.unc.edu>
Subject: Re: IPSEC == end of firewalls
Message-ID: <9601240007.AA06686@su1.in.net>
MIME-Version: 1.0
Content-Type: text/plain
At 01:40 PM 1/23/96 -0800, Simon Spero allegedly wrote:
>This thread definitely belongs as cypherpunks, as the whole point of the
>discussion is to debate the limits of what cryptography on its own can
>achieve.
>
Back, by popular demand...
I didn't really want to continue this discussion here, but I received
a couple mails requesting that I continue in this thread. I'm still
uncomfortable with this, but I'll oblige.
>What do you need as well as crypto before you can remove all firewalls?
I don't think this will ever happen. However, as long as we're dreaming,
here's my 2 cents worth on a good start for a secure environment would
look like. It's not complete by any stretch of an imagination, but it's
a start:
o Start with a Secure Operating System - Secure Computing's firewall is a good
example of this. They have done some pretty neat things with Type
Enforcement.
o Add in some decent authentication/encryption/verification mechanisms/digital
sigs, etc V-ONE's SmartGate, Fortezza, & Persona would do nicely. Hand-held
token devices such as the ones mentioned above should work well. Of course,
the user interface to these should be user-friendly.
o Throw in a secure method of communication PGP, PGPphone, etc - which is
*user-friendly* and which helps automate & manage the key-distribution
process (securely, of course)
o Mix in applications which have been re-written to be secure, fast, intuitive,
user-friendly & interact well with encryption (various kinds).
o Add in a central clearinghouse (don't care where) where the latest key
expirations/compromises can be checked automatically to confirm that
the e-mail you just received is still valid also wouldn't hurt.
o Combine the best capabilities of Checkpoint's (firewall) lower-level
filtering capabilities with V-0NE's upper-level filtering capabilities
and add these to the secure Operating System's network defense mechanisms
o Add a good dose of IPsec (sprinkling lightly) to secure the pipe
(kindly omitting the Watergate plumbers)
o Add user-friendly single sign-on capability (Kerberos, et al)
o Mix in heavy encryption with (ridiculously long) keys (say the number of
grains of sand stretched end-to-end to make a light year). 8^)
o Make all of the above user-friendly & easy-to-implement on a large scale 8^)
Throw the ingredients into a pot & stir briskly.
Like I said earlier, it's just a start & not a whole solution by any
stretch of the imagination. It's probably a nice wish list, though.
It'd sure be nice if it came true. (If you think the above list is
optimistic, you ought to see my Christmas Wish List). 8^) 8^) 8^)
>
>Simon
>
>(defun modexpt (x y n) "computes (x^y) mod n"
> (cond ((= y 0) 1) ((= y 1) (mod x n))
> ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n))
> (t (mod (* x (modexpt x (1- y) n)) n))))
Best Regards,
Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800 - http://www.fortified.com/fortified/
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Return to January 1996
Return to “Frank Willoughby <frankw@in.net>”
1996-01-24 (Wed, 24 Jan 1996 10:12:04 +0800) - Re: IPSEC == end of firewalls - Frank Willoughby <frankw@in.net>