From: Frank Willoughby <frankw@in.net>
To: cypherpunks@toad.com
Message Hash: c5f5279cd8c7204948aaa31efb29f7587a092bc8cb80afd894922905c7d8045e
Message ID: <9601231159.AA27033@su1.in.net>
Reply To: N/A
UTC Datetime: 1996-01-24 14:29:44 UTC
Raw Date: Wed, 24 Jan 1996 22:29:44 +0800
From: Frank Willoughby <frankw@in.net>
Date: Wed, 24 Jan 1996 22:29:44 +0800
To: cypherpunks@toad.com
Subject: Re: IPSEC == end of firewalls
Message-ID: <9601231159.AA27033@su1.in.net>
MIME-Version: 1.0
Content-Type: text/plain
While IP level security & authentication will go a long way to help
prevent abuses and reduce unauthorized accesses, I doubt if it will
provide enough protection by itself. While I would love to be proven
wrong, I believe firewalls are here to stay (at least for the next
year or two). A couple of reasons why:
o Node Spoofing will probably still be possible
o The connections will probably also be subject to man-in-the-middle attacks
(Never underestimate the creativity of people who want to compromise your
networks)
o Authentication by itself will *not* provide adequate protection against
many abuses
o End-to-end encryption by itself won't completely solve the problems either
(however, it *does* go a long way to prevent man-in-the-middle attacks
o While IP security & authentication helps to secure the pipe between the
two systems which want to communicate with each other, it does not provide
any security about the applications running over the pipe.
(ie - if you and I have a secure pipe between your system and mine & you
have
a worm running loose on your network, the only thing the secure pipe will do
is ensure that other systems (not in the pipe) won't be damaged as the worm
propagates out of your network into mine).
Also. Which version of sendmail are we up to now?
As far as the future of firewalls goes, I would probably guess that the
functionality of most firewalls would eventually be an add-on application
option for Operating Systems and that eventually it will be a standard
part of every Operating System. Until then, we have to punt & keep using
firewalls.
I suspect even when firewalls are embedded in the O/S, that some type of
firewall will still be needed to quasi-isolate a company's network from
the Internet (and establish them as one entity) and to contain potential
networking problems which arise when someone configures their system with
the wrong IP address (or other type of problem).
IMHO, the first company to include a firewall as a standard part of their
Operating Systems has a real good shot at increasing their market share.
Perhaps the O/S vendors are paying attention to this list & will implement
this (would be nice). 8^) Of course, it would also help, if their systems
were delivered secure - out-of-the-box and we didn't have to spend so much
time continually locking them down & keeping up with the latest CERT Advisories.
8^) 8^)
Best Regards,
Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800 - http://www.fortified.com/fortified/
<standard disclaimer>
The opinions expressed above are of the author and may not
necessarily be representative of Fortified Networks Inc.
Return to January 1996
Return to ““Perry E. Metzger” <perry@piermont.com>”