home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!caen!sol.ctr.columbia.edu!usc!news
- From: tsudik@pollux.usc.edu (Gene Tsudik)
- Newsgroups: comp.protocols.tcp-ip
- Subject: Firewall usage
- Date: 30 Jul 1992 08:00:59 -0700
- Organization: University of Southern California, Los Angeles, CA
- Lines: 59
- Sender: tsudik@pollux.usc.edu (Gene Tsudik)
- Distribution: world
- Message-ID: <l7g11bINNlib@pollux.usc.edu>
- NNTP-Posting-Host: pollux.usc.edu
-
- In article <Bs3vCz.K13@cs.columbia.edu> ji@cs.columbia.edu
- (John Ioannidis) writes:
-
- >* A firewall is no excuse for lax internal security. To wit:
- > - In a large organization, there are bound to be "bad guys" (either
- > through malice, negligence, or sheer stupidity) inside the
- > organization as well. No firewall is going to protect you against
- > those.
-
- True. But it is safe to assume that there is a much larger and much more
- "varied" population of "bad guys" outside than in.
-
- > - A firewall only protects you against *known* external threats.
-
- This is not a convincing point. Any security measure whether implemented in
- a firewall gateway or in an end-system is going to protect you only against
- *known* attacks.
-
- >* The network should switch bits and enforce routing policies -- not
- > cover up for insecure applications.
- >
- >* Having firewalls reduces the urgency (that is, the pressure on the
- > vendors) of patching those security holes. It's a vicious cycle.
- >
- >* We've seen analogies such as putting locks on the front door rather
- > than each individual room, and that it's perfectly acceptable
- > capitalist behavior to put a firewall gateway in front of your
- > network. I claim that this is far from being capitalistic; you're
- > being communist inside, and hiding behind an Iron Curtain.
-
- I see. So, to be a true capitalist I would have to padlock the doors to
- individual rooms (end-systems or hosts) and let the sh*t fly in the corridors,
- right?
-
- I'm afraid that no matter how secure you make the hosts, the problem of
- securing internal links will remain. You are assuming that the only purpose of
- firewalls is to protect otherwise vulnerable hosts.
- What about the rest of internal network resources: links, bridges and even
- the network interfaces of the very same hosts?
-
- Without firewalls, no matter how secure the OS,
- your workstation can be bombarded and flooded with meaningless garbage
- traffic from outside of your organization. This can render your
- workstation unusable. Moreover, valuable communication resources, e.g.,
- critical internal links, can be similarly flooded with trash from the outside
- thus denying service to legitimate internal users.
-
- I don't think many people (me included) believe that firewalls are elegant.
- They constitute an ugly solution to an even uglier problem.
-
- Cheers,
-
- Gene
-
- gts@zurich.ibm.com
-
- --
- ----------------------
- Gene Tsudik, Member FDIC
-