From: Frank Willoughby <frankw@in.net>
To: cypherpunks@toad.com
Message Hash: 39551c0bc5265584573c9439e69b81b719ec7807ffc41c4ba59ab242fa78fe91
Message ID: <9601231947.AA20689@su1.in.net>
Reply To: N/A
UTC Datetime: 1996-01-23 21:53:46 UTC
Raw Date: Wed, 24 Jan 1996 05:53:46 +0800
From: Frank Willoughby <frankw@in.net>
Date: Wed, 24 Jan 1996 05:53:46 +0800
To: cypherpunks@toad.com
Subject: Re: IPSEC == end of firewalls
Message-ID: <9601231947.AA20689@su1.in.net>
MIME-Version: 1.0
Content-Type: text/plain
At 10:30 AM 1/23/96 -0500, perry@piermont.com allegedly wrote:
>
>Frank Willoughby writes:
>> While IP level security & authentication will go a long way to help
>> prevent abuses and reduce unauthorized accesses, I doubt if it will
>> provide enough protection by itself.
>
>I agree with this, but...
>
>> o Node Spoofing will probably still be possible
>
>Nope. It won't.
>
I disagree. I haven't met a system that couldn't somehow be gotten around.
The creativity of hackers is succeeded only by their motivation and ability
to put many hours into trying to solve a problem. Including the word
"probably"
was deliberate. Kerberos was also thought to be secure - 'til it was
compromised. Software isn't bug-free & design or security methodologies
can't provide 100%
coverage. Hackers take advantage of this and inherent weaknesses in design
flaws.
>> o The connections will probably also be subject to man-in-the-middle attacks
>> (Never underestimate the creativity of people who want to compromise your
>> networks)
>
>No, they won't be subject to such attacks any longer.
Answer is the same as the above paragraph. I try not to use the word "can't"
or "won't" when possible. Granted "probably" sounds wishy-washy, but it is
frequently accurate.
>
>The real problem, as you noted, is that our applications aren't very
>secure.
>
>> I suspect even when firewalls are embedded in the O/S,
>
>That would be somewhat meaningless. The point of a firewall, as others
>here have noted, is that it is easier to secure one machine than five
>hundred or ten thousand.
>
I disagree here also. Systems by themselves are fairly useless. Their
power (and main vulnerability) comes from their ability to network with
other systems. A system connected to a network is vulnerable. The fact
that a corporate firewall protects the system from the Internet in no way
decreases the vulnerability of that system (and other systems) from *internal*
attacks which can be as devastating as an Internet attack.
Including firewall capabilities as part of the Operating System's network
applications would help the system protect itself from abuses from the
Internet - as well as from internal.
>> IMHO, the first company to include a firewall as a standard part of their
>> Operating Systems has a real good shot at increasing their market share.
>
>Again, somewhat meaningless, as a real firewall involves defense in
>depth (screening routers, a bastion proxy host, etc) and is more of a
>configuration issue than an O.S. issue.
In the current context yes. However, a firewall is only solving one
part of the problem. Just as Information Security must be integrated
into every layer of a company (from users->system managers->managers->
executives), it must also be incorporated into each part in a network
(systems, LANs, external connections).
>
>Perry
Best Regards,
Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800 - http://www.fortified.com/fortified/
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Return to January 1996
Return to “Rich Graves <llurch@networking.stanford.edu>”