home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.tcp-ip
- Path: sparky!uunet!haven.umd.edu!decuac!pa.dec.com!mogul
- From: mogul@pa.dec.com (Jeffrey Mogul)
- Subject: Re: Firewall usage
- Message-ID: <1992Jul28.010344.9414@PA.dec.com>
- Sender: news@PA.dec.com (News)
- Organization: DEC Western Research
- References: <1992Jul23.142026.20112@sci34hub.sci.com> <1992Jul24.161006.12786@practic.com> <JTW.92Jul27142002@pmws.lcs.mit.edu>
- Date: Tue, 28 Jul 92 01:03:44 GMT
- Lines: 50
-
- In article <JTW.92Jul27142002@pmws.lcs.mit.edu> jtw@lcs.mit.edu (John Wroclawski) writes:
- >Dave [Clark's] second point is that perhaps it is time to rethink the core
- >architecture of the internet (or its follow-on) to specifically
- >-include- mechanism to separate organizational policy functions (such
- >as authentication, logging, and access control) from the actual
- >service functions running on the typical host.
-
- Actually, I think this approach was (in embryonic form, at least)
- suggested several years ago by Deborah Estrin, who developed the
- concept of Visa protocols. In this model, "border" routers pass
- only those packets deemed allowable by an Access Control Server (ACS).
- Instead of requiring each packet to pass through an ACS on the way
- in or out of an organization, the end hosts get cryptographically-
- sealed thingies (visas) to stick onto their packets. This allows
- a distributed implementation, but also allows the ACS to set whatever
- policy is desired. The downside is that the cryptographic stuff could
- be rather costly, and the whole model depends on every external-access
- host implementing the mechanism. For details, see
- Deborah Estrin, Jeffrey C. Mogul, and Gene Tsudik.
- Visa Protocols for Controlling Inter-Organization Datagram Flow.
- IEEE Journal on Selected Areas in Communication 7(4):486-498, May, 1989.
- I'm sure Dave knows about this stuff; Deborah did her dissertation at MIT.
-
- >I suspect Mr. Denninger will disagree, but I find this to be dangerous
- >and depressing thinking. A major strength of the Internet is the
- >ability for new services to come into existance when they're needed,
- >not several years later when a "nice clean requirement" has been
- >formulated, written down, approved, standardized, and poked at by a
- >layer or two of beaurocracy. In other words, the internet is strong
- >because it can evolve.
-
- Alas, while parts of the Internet can (and should) continue to follow
- the "everything not forbidden is permitted" approach, which allows for
- evolution, other parts have to follow the "everything not permitted
- is forbidden" rule. The powers-that-be at a company such as Digital
- are not going to permit us to run arbitrary experiments across the
- boundary between the nasty wide-open Internet and our soft, naive
- internal network. There's nothing intrinsically wrong with this; the
- IETF doesn't require that everyone on the Internet experiment with a new
- service before blessing it. Once a new service is properly understood,
- we can (if we so choose) cut a hole for it in the firewall.
-
- From time to time, I (hidden behind a firewall) find Digital's policies
- to be a major pain; I still don't use services such as WAIS because of
- the extra effort involved. But, I (and my coworkers) no longer spend
- a significant part of our time either tracking down intruders, or
- explaining to the corporate security types why they shouldn't shut down
- our gateway complex.
-
- -Jeff [who accepts the blame for a few of the firewalls out there]
-