1996-01-23 - Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.)

Header Data

From: Adam Shostack <adam@homeport.org>
To: nelson@santafe.edu (Nelson Minar)
Message Hash: 3a1f3ee652be85c2bc2c10c81f8194f95ff4f4ecd36fbce83483127e38acc844
Message ID: <199601230238.VAA00706@homeport.org>
Reply To: <199601230159.SAA00256@nelson.santafe.edu>
UTC Datetime: 1996-01-23 02:34:01 UTC
Raw Date: Mon, 22 Jan 96 18:34:01 PST

Raw message

From: Adam Shostack <adam@homeport.org>
Date: Mon, 22 Jan 96 18:34:01 PST
To: nelson@santafe.edu (Nelson Minar)
Subject: Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.)
In-Reply-To: <199601230159.SAA00256@nelson.santafe.edu>
Message-ID: <199601230238.VAA00706@homeport.org>
MIME-Version: 1.0
Content-Type: text


IPsec will not change the role of firewalls.  It will change some
technical details about them.

Firewalls do a couple of things:

	Enforce a policy boundary between us & them.  Reduce the
number of systems to be 'well secured' (This is because really
securing a machine is tough, and often involves sacrifices of
useability.) Provide job security/ass covering (see also, satisfy
auditors.)

	The fact that some traffic passing through is encrypted will
not change any of this.  Only allowing traffic to people who provide a
signature is only useful for some things.  Besides, there will always
be shitty protocols, like NFS, yp, SMTP, etc that need a firewall to
protect them.  Legacy systems are with us forever.  (I was in a
meeting last Thursday where we discussed how to handle a Sun3 that
needs to be a router in a CIDR environment.  No option to upgrade this
box for complex reasons.  I bring it up to illustrate the persistance
of legacy systems.)

Nelson Minar wrote:
| rah@shipwright.com (Robert Hettinga) writes:
| [interesting article about the future, which includes..]
| 
| >The reason we won't need LANs is because the only real difference between a
| >LAN and the internet is a firewall for security, and the need for clients
| >to speak Novell's TCP/IP-incompatible proprietary network protocol.  With
| >internet-level encryption protocols like the IETF IPSEC standard, you won't
| >even need a firewall anymore.  The only people who can establish a server
| >session with *any* machine connected to the net will be those issuing the
| >digital signatures authorized to access that machine, no matter where those
| >people are physically. When that happens, networks will need to be as
| >public as possible, which means, of course, TCP/IP, and not Netware.
| 
| I'm all for the end of ridiculous non-TCP/IP protocols, but does
| anyone believe this point about encrypted IP traffic eliminating the
| need for firewalls?
-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume





Thread