From: Frank Willoughby <frankw@in.net>
Date: Wed, 24 Jan 1996 05:47:38 +0800
To: cypherpunks@toad.com
Subject: Re: IPSEC == end of firewalls
Message-ID: <9601232016.AA22238@su1.in.net>
MIME-Version: 1.0
Content-Type: text/plain


At 10:55 AM 1/23/96 -0500, Ben <adept@minerva.cis.yale.edu> wrote:


>> functionality of most firewalls would eventually be an add-on application 
>> option for Operating Systems and that eventually it will be a standard 
>> part of every Operating System.  Until then, we have to punt & keep using 
>> firewalls.  
>
>I'm not so convinced that adding 'firewall functionality' to an OS is 
>such a good idea.  The idea behind having a firewall is that 
>	*	You have a hardened host that has been stripped of
>		anything that could be used by an attacker to compromise
>		other systems
>	*	You have a single machine that serves as the sole port of
>		entry into your domain.  By keeping your defense perimeter
>		nice and small it makes it manageable to maintain.  
>

I agree with your statements above about firewalls and wholeheartedly
agree that a firewall needs these characteristics (among others) to 
remain relatively secure.  However, I am I'm not saying that adding
firewalling capabilities would make the system invincible.  I *am* 
saying that it would provide the system with more security than it 
currently has and would help to reduce (not eliminate) some risks 
associated with networking.  

Of course, it would be terrific if the vendors would produce Operating 
Systems which are secure AND usable.  (I think the market will eventually 
demand this from vendors, but this probably won't happen in the next year 
or two.)



>When you start trying to switch firewall functionality to an OS you lose 
>both these advantages.  You no longer have a system that is stripped of 
>compilers, scripting languages, etc, and you now have a much larger 
>security perimeter.
>

Agreed - to a point.  The idea is to provide the systems with increased
defensive capabilities - lowering potential risks.  (See above paragraph)


FWIW, I feel rather uncomfortable continuing this thread in the cypherpunks 
mailing list when the subject at hand deals more with firewalls than it 
does with cryptography.

I would prefer to continue this discussion in the firewalls mailing list
(of which I am a fairly regular participant).


If you would like to subscribe to the firewalls mailing list, send a mail to:

        majordomo@GreatCircle.com

(leaving the subject line blank)

and in the body of the message put:

subscribe firewalls "your_email_address" (omitting the quotes).


See you there.


>Ben.
>____
>Ben Samman..............................................samman@cs.yale.edu
>"If what Proust says is true, that happiness is the absence of fever, then
>I will never know happiness. For I am possessed by a fever for knowledge,
>experience, and creation."                                      -Anais Nin
>PGP Encrypted Mail Welcomed        Finger samman@suned.cs.yale.edu for key
>Want to hire a soon-to-be college grad? 		Mail me for resume

Best Regards,


Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800   - http://www.fortified.com/fortified/
For a free downloadable Internet Firewalls Checklist, please see our home page.

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.