Re: Forrester Research foresees death of firewalls

[David LeBlanc <dleblanc () mindspring com>]

At 10:42 PM 6/16/99 -0400, Adam Shostack wrote:

> Firewalls enter into the picture only as a perimiter tool; you ensure
> data only gets in on two or three points.  The real security will need 
> to be on the servers.  Lets stop trying to pretend firewalls are
> anything more than a stopgap.

I can't agree that firewalls are only a stopgap.  I do agree that it is a
tremendous fallacy to think that because you have a firewall, your network
is now secure.

IMO, there are a lot of components to properly securing a network,
especially a very large one.  I wouldn't want to try and secure an
enterprise network without a firewall - I _might_ be able to secure a
half-dozen machines against the full extent of what is thrown at me from
the internet without one, but when you start to talk about tens of
thousands of machines, then thinking that you can implement host-based
security is, IMNSHO, ridiculous.  Perhaps I can lock down my really
important machines (and should, as most compromises are from the inside),
but we all know that one can often leverage a compromise of an unimportant
machine to compromise others.

I would no more consider not securing the perimiter any more than I would
consider leaving the locks off my doors at home.  That's only the first
step - I also need to educate my users, establish a policy of what is
acceptable, and find ways to enforce that policy.  I also need some way to
monitor the network, both on the wire and host-based - remember that you'll
NEVER get all the hordes of end-users all locked down as you'd like, except
in the most restrictive and security-conscious environments, so you need
some way to verify what you've got out there, what problems it might have,
and in a large network some way to manage all that data.

Take away any one component of securing the network, and you're going to
have problems - we need all of this in place.


David LeBlanc
dleblanc () mindspring com