Dailydave mailing list archives
Re: This just in: Firewalls are obsolete
From: Daniele Muscetta <muscetta () gmail com>
Date: Tue, 12 Jul 2005 10:35:22 +0200
On 7/12/05, Gadi Evron <ge () linuxbox org> wrote:
Jonatan B wrote:Please use the brand new "ACL Technology" instead.From the article:"... By defining simple ACLs, we further isolate our backend servers." http://www.securitypipeline.com/shared/article/printablePipelineArticle.jhtml?articleId=165700439Ignoring this (not you) for a minute, there is some serious research done in the UK in the Jericho group which is called "deperimeterization". Basically, they say, and I am probably mis-representing their ideas, that we have been poking holes in the "so-called" perimeter for years now. [...] If you can bring every (erm, every?!) machine in your network to where it is secure enough to be on the Internet, on its own.. then why do you still need a perimeter? According to them the only reason to still keep one would be management related. I personally find the entire idea absurd and ridiculous. However, I know some of the people involved and they are extremely serious and smart people. They invested a lot of thinking into this so I must not be getting the big picture. I may find this ridiculous, but I am far from vain enough to dismiss some of these people and their work so readily.. I must simply not be getting it.
There are a lot of people who agree with this, and a lot of people who disagree. The Jericho Group idea of "deperimeterization" was presented by Paul Simmonds at BlackHat Europe 2004 as a keynote, and I found it very interesting. I wrote about that on http://www.itvc.net/blackhat04/19.asp (in Italian). Steve Riley has spoken about a similar concept, with different wording: "the death of the DMZ". Recently also Marcus Ranum was interviewed on SecurityFocus and was asked about this. Anyway, this is the kind of subject that is very suited for LONG threads... with alternate mails from the two parties: those who agree and those who don't. Just to mention what *I* think about, I recently blogged about my opinion on http://www.muscetta.com/b2.php?p=47&c=1 (there are also the links to both Ranum's interview and Riley's speech) Best to all, Daniele _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: This just in: Firewalls are obsolete, (continued)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete I)ruid (Jul 12)
- Re: This just in: Firewalls are obsolete rdump (Jul 12)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete byte_jump (Jul 12)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Derek Vadala (Jul 11)
- Re: This just in: Firewalls are obsolete Daniele Muscetta (Jul 12)
- Re: This just in: Firewalls are obsolete dan (Jul 12)
- Re: This just in: Firewalls are obsolete nakona () alltel net (Jul 13)
- Re: Re: This just in: Firewalls are obsolete Gadi Evron (Jul 13)
- Re: Re: This just in: Firewalls are obsolete plonky (Jul 13)
- Re: Re: This just in: Firewalls are obsolete Dave Aitel (Jul 13)
- Re: Re: This just in: Firewalls are obsolete Gadi Evron (Jul 13)