1996-01-23 - Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.)
Header Data
From: Adam Shostack <adam@homeport.org>
To: nelson@santafe.edu (Nelson Minar)
Message Hash: 3a1f3ee652be85c2bc2c10c81f8194f95ff4f4ecd36fbce83483127e38acc844
Message ID: <199601230238.VAA00706@homeport.org>
Reply To: <199601230159.SAA00256@nelson.santafe.edu>
UTC Datetime: 1996-01-23 02:34:01 UTC
Raw Date: Mon, 22 Jan 96 18:34:01 PST
Raw message
From: Adam Shostack <adam@homeport.org>
Date: Mon, 22 Jan 96 18:34:01 PST
To: nelson@santafe.edu (Nelson Minar)
Subject: Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.)
In-Reply-To: <199601230159.SAA00256@nelson.santafe.edu>
Message-ID: <199601230238.VAA00706@homeport.org>
MIME-Version: 1.0
Content-Type: text
IPsec will not change the role of firewalls. It will change some
technical details about them.
Firewalls do a couple of things:
Enforce a policy boundary between us & them. Reduce the
number of systems to be 'well secured' (This is because really
securing a machine is tough, and often involves sacrifices of
useability.) Provide job security/ass covering (see also, satisfy
auditors.)
The fact that some traffic passing through is encrypted will
not change any of this. Only allowing traffic to people who provide a
signature is only useful for some things. Besides, there will always
be shitty protocols, like NFS, yp, SMTP, etc that need a firewall to
protect them. Legacy systems are with us forever. (I was in a
meeting last Thursday where we discussed how to handle a Sun3 that
needs to be a router in a CIDR environment. No option to upgrade this
box for complex reasons. I bring it up to illustrate the persistance
of legacy systems.)
Nelson Minar wrote:
| rah@shipwright.com (Robert Hettinga) writes:
| [interesting article about the future, which includes..]
|
| >The reason we won't need LANs is because the only real difference between a
| >LAN and the internet is a firewall for security, and the need for clients
| >to speak Novell's TCP/IP-incompatible proprietary network protocol. With
| >internet-level encryption protocols like the IETF IPSEC standard, you won't
| >even need a firewall anymore. The only people who can establish a server
| >session with *any* machine connected to the net will be those issuing the
| >digital signatures authorized to access that machine, no matter where those
| >people are physically. When that happens, networks will need to be as
| >public as possible, which means, of course, TCP/IP, and not Netware.
|
| I'm all for the end of ridiculous non-TCP/IP protocols, but does
| anyone believe this point about encrypted IP traffic eliminating the
| need for firewalls?
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Thread
Return to January 1996
- Return to “Adam Shostack <adam@homeport.org>”
- Return to “attila <attila@primenet.com>”
- Return to ““Dave Emery” <die@pig.die.com>”
- Return to “Nelson Minar <nelson@santafe.edu>”
- Return to ““Perry E. Metzger” <perry@piermont.com>”
- Return to “rah@shipwright.com (Robert Hettinga)”
Return to “Simon Spero <ses@tipper.oit.unc.edu>”
- 1996-01-22 (Mon, 22 Jan 96 09:01:07 PST) - (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.Bill. - rah@shipwright.com (Robert Hettinga)
- 1996-01-23 (Mon, 22 Jan 96 18:00:11 PST) - IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) - Nelson Minar <nelson@santafe.edu>
- 1996-01-23 (Mon, 22 Jan 96 18:08:06 PST) - Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) - “Perry E. Metzger” <perry@piermont.com>
- 1996-01-23 (Mon, 22 Jan 96 19:59:31 PST) - Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) - “Dave Emery” <die@pig.die.com>
- 1996-01-23 (Mon, 22 Jan 96 23:01:19 PST) - Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) - Simon Spero <ses@tipper.oit.unc.edu>
- 1996-01-23 (Mon, 22 Jan 96 19:59:31 PST) - Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) - “Dave Emery” <die@pig.die.com>
- 1996-01-23 (Mon, 22 Jan 96 18:34:01 PST) - Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) - Adam Shostack <adam@homeport.org>
- 1996-01-23 (Mon, 22 Jan 96 21:36:12 PST) - Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path , Dependency, IPSEC, Cyberdog, and the Melting of Mr.) - attila <attila@primenet.com>
- 1996-01-23 (Mon, 22 Jan 96 18:08:06 PST) - Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) - “Perry E. Metzger” <perry@piermont.com>
- 1996-01-23 (Mon, 22 Jan 96 18:00:11 PST) - IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.) - Nelson Minar <nelson@santafe.edu>