Firewall Wizards mailing list archives

Re[2]: Firewalls/Internet Security - TNG

From: Rick_Giering_at_mpg003 () ccmailgw mcgawpark baxter com
Date: Wed, 10 Dec 1997 13:19:32 -0600

Author:  "Wright; Steven" <SWright () v-one com> at Internet
Date:    12/9/97 2:18 PM

Edward Cracknell writes:
So, firewall development is slowing/stopped. Intrusion detection is > the
future.....then where?


Marcus J. Ranum writes:

Where next? I think that for security products to succeed, and

for

network/system management products to succeed, the two must >>become one.

I can do nothing more than ecstatically agree with MJR!!!!!


Steven R. Wright
Sr. Software Engineer
V-ONE Corporation
swright () v-one com


I think this is missing an important area, application and system level 
security. 

I know that the trend over the last 20 or so years has been to separate system, 
application, and network security. But, I believe this has resulted in problems 
like virus's, ActiveX, and the current abuse of http. 

People have made a big issue of late that the network is the computer. If so, 
then you can't have network security separate from system security. If the 
network is the system, they are one in the same.

Next, almost all security abuses are application abuses. Why? Because 1) 
developers are busy writing useful and "cool" code and don't have much time for 
the security aspects of what they are doing (witness the rise of client/server 
non-firewall capable web server management products ala Frontpage) and 2) users 
don't care about the details (including security details); they just want the 
"cool" and useful apps those developers are developing.

In the end, developers will find a way around any security wall either through 
politics (wave enough money at a marketing type and he can do anything!) or by 
using existing paths for non-conventional uses (eg. transporting software over 
http like Pointcast, ActiveX, Java, etc.)

We haven't even talked about client/server apps that use RPC! I think they will 
be the next exposion as vendors produce tools that make DCOM over RPC braindead 
simple to implement.

My personal view is that security is a joke and will continue to be until 
applications and data merge. Then, there are no "applications," just smart data 
that can change and reconfigure itself. The network/system provides 1) a 
transport and place for the data to "run/exec" and 2) the means for 
authenticating users, systems, network interfaces, and the smart data's 
themselves. This smart data also contains all of it's own security. This results
in security no matter where the data resides and no matter how it got there 
(floppy, network, tape, email, etc.)

I know this view is pretty radical but I don't think anyone will implement 
anyway. Comments?

Rick Giering
Note: These are my views and having to do with my employer.

Received: from ns1.baxter.com (159.198.180.56) by ccmailgw.mcgawpark.baxter.com
with SMTP
  (IMA Internet Exchange 2.1 Enterprise) id 00279D29; Wed, 10 Dec 97 08:47:45
-0600
Received: from nfr.net (tower.nfr.net [208.196.145.10]) by ns1.baxter.com
(8.8.0/8.8.0) with ESMTP id CAA22645 for
<Rick_Giering_at_mpg003 () ccmailgw mcgawpark baxter com>; Wed, 10 Dec 1997
02:25:02 -0600 (CST)
Received: (from lists@localhost)
        by nfr.net (8.8.8/8.8.8) id XAA18003
        for firewall-wizards-outgoing; Tue, 9 Dec 1997 23:23:34 -0600 (CST)
X-Authentication-Warning: nfr.net: lists set sender to
owner-firewall-wizards () nfr net using -f
Received: (from fwiz@localhost)
        by nfr.net (8.8.8/8.8.8) id XAA17992
        for firewall-wizards () nfr net; Tue, 9 Dec 1997 23:23:22 -0600 (CST)
Received: from smartwall.v-one.com (smartwall.v-one.com [206.151.78.11])
        by nfr.net (8.8.8/8.8.8) with ESMTP id NAA15578;
        Tue, 9 Dec 1997 13:15:52 -0600 (CST)
Received: by smartwall.v-one.com; id OAA03093; Tue, 9 Dec 1997 14:15:50 -0500
(EST)
Received: from nt-fs1.v-one.com(198.69.135.3) by smartwall.v-one.com via smap
(3.2)
        id xma003087; Tue, 9 Dec 97 14:15:41 -0500
Received: by nt-fs1.v-one.com with Internet Mail Service (5.0.1457.3)
        id <YSBW7J94>; Tue, 9 Dec 1997 14:18:12 -0500
Message-ID: <9D6D00AF5C10D111ABA8080009EC3D2D011A94 () nt-fs1 v-one com>
From: "Wright, Steven" <SWright () v-one com>
To: firewall-wizards () nfr net, "'Marcus J. Ranum'" <mjr () nfr net>
Subject: RE: Firewalls/Internet Security - TNG
Date: Tue, 9 Dec 1997 14:18:10 -0500
X-Priority: 3
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.0.1457.3)
Content-Type: text/plain
Sender: owner-firewall-wizards () nfr net
Precedence: bulk
Reply-To: "Wright, Steven" <SWright () v-one com>

Current thread:

Firewalls/Internet Security - TNG Edward Cracknell (Dec 01)
- Re: Firewalls/Internet Security - TNG Ted Doty (Dec 03)
- Re: Firewalls/Internet Security - TNG Larry J. Hughes Jr. (Dec 03)
- Re: Firewalls/Internet Security - TNG Frank Willoughby (Dec 03)
- Re: Firewalls/Internet Security - TNG Marcus J. Ranum (Dec 08)
  - Re[2]: Firewalls/Internet Security - TNG Edward Cracknell (Dec 09)
  - Re: Firewalls/Internet Security - TNG Fred Donck (Dec 11)
- <Possible follow-ups>
- RE: Firewalls/Internet Security - TNG Safier, Adam (GEIS) (Dec 03)
- RE: Firewalls/Internet Security - TNG Wright, Steven (Dec 09)
- Re[2]: Firewalls/Internet Security - TNG Rick_Giering_at_mpg003 (Dec 11)
  - Re: Re[2]: Firewalls/Internet Security - TNG Joseph S. D. Yao (Dec 11)
    - Re: Re[2]: Firewalls/Internet Security - TNG Rudolf Schreiner (Dec 12)