Re: Forrester Research foresees death of firewalls

["Tim Kramer" <tkramer () irt net>]

Forrester seems to have taken an idealistic view of what network
security (in their view) should be.

Uh, hmm....   This means:

1)  My employer is supposed to share its computing resources with
anyone that wants it?  (e-mail services, address book, corporate phone
book, software we wrote, software we bought, etc)

2)  Everyone in the world will suddenly become trustworthy and be
nice to each other?  (no more disgruntled employees, virus authors,
hackers, crackers, spies, thieves, etc)

3a)  I'm due for a lobotomy?  (That's the only way I'll start trusting
strangers who appear at my outer interface.)  (I only provide one
service to the outside world and it's not for general use.  It's also
routed to a separate Class C.).

3b) My son (and my neighbor's sons) won't see the light of day until
his(their) eighteenth birthday?  Alternate question: (possible extra
credit) Describe the average hacker on the Internet.  (extra-extra
credit if you can do it in two words)

Upon close inspection of the below, I take exception to:

1) "shared responsibility" - if someone changes/damages resources
on my network, I want to be able to focus on the SOLE person responsible.

2)  "Real world business relationships are built on trust backed by
accountability"
We're talking about capitalism here, right?   What school of business is
teaching
THAT paradign?  I seem to remember that businesses compete with one another.
If the guy down the street is selling the same product as I am, I supposed to
let
him know how I can sell the product 10% cheaper than he can?

3) "not prevention" - I'm not supposed to put the burglar alarm in my store
just to
be sure that the guy (in 2 above) doesn't break into my store to find out that
same
information without my permission?

4) "inspect content" - I think that last week was a prime example why we should

inspect content that comes off the Internet.  ExploreZip sounds like a very
nasty
virus to have loose on your internal network.

5) "foster openness, shun complexity" in one paragraph, "hooks to x.509
certificates, LDAP directories, and policy management" in the next paragraph.
What is THIS, some sort of oxymoron?  I guess it's easy as long as you don't
have to administer LDAP and certificate servers.  Also, what is meant by the
phrase "policy management"?  If I have a policy I'd like implemented on my
network, I'm not supposed to make it easy on myself by having a single point
on the network where I can enforce that policy?  (Before you respond, remember,

this IS one of the things that a firewall does.)

I think that Forrester has gotten just a little too obstract in their
thinking.  Some-
what like saying that law enforcement is a bad thing as it intrudes on many of
our freedoms and people often get hurt by law enforcement officers.  So we
should do away with laws, be nice to each other, and share our belongings
(after we've written our name on them so that we know who owns them when
it comes time to fix them).

Is Forrester actively involved in any form of computer security?  Do they have
any valid basis for such a Luddite-type of view of network security?  Anyone?
I read this as a type of "information-wants-to-be-free",  remember-the-good-
old-days-when-you-could-trust-strangers" rhetoric.  It borders on being
offensive.

(Sorry.  Flame me if you want.)
Tim Kramer
tlk () irt net


systems like Axent's Enterprise Security Manager.
"SMITH, Michael @Ottawa" wrote:
<snip>

> The proposed rules of Inverted Security are: foster openness, shun
> complexity, share responsibility, and emphasize accountability.  On this
> last point, the report notes, "Real-world business relationships are built
> on trust backed by accountability, not prevention."
>
> Expanding on the notion of sharing responsibility, the report says,
> "Deploying firewalls to deny bad connections, inspect content, authenticate
> users, and encrypt traffic will result in network traffic grinding to a
> halt.  Instead, distribute protection throughout the enterprise using
> routers, Web servers, and application servers.  Unite these components
> through hooks to x.509 certificates, LDAP directories, and policy management
> systems like Axent's Enterprise Security Manager."

<snip>