Firewall Wizards mailing list archives
RE: The Death Of A Firewall
From: "Joe" <gijoe () vinylflesh com>
Date: Wed, 9 Nov 2005 16:59:59 -0500
Well the article says they are "close to achieving that goal" so perhaps they realized you still need a firewall at perimeter points to public networks to reduce network "noise" from impacting their internal network service levels (SLAs) and have those internal switches see the pounding. :) But what Mr Berman has accomplished as what I believe to be the endgame and what we are doing today with network security architecture as fanatical on networks when the threat profile as so focused above it. I believe the endgame will have the network become a utility you buy like electricity. Clients will be connected to this utility (wired or wireless.) This utility would be a complete convergence of internal building connectivity directly connected to the Internet. Your service level for this utility will have the utility company guarantee availability and low latency but not security. If you think about it for the utility company to meet the SLA the will have to run software to block network noise like DDoS, port scans, etc from the portal point to the Internet. Server farms will be the last bastion (no pun intended) of small networks with application layer firewalls front-ending them. Of course from a form factor perspective the server farm may reduce to a piece of heavy iron full of virtualization. Clients should be commodotized multimedia systems that are kiosks to applications that serve data managed by document management/entitlement systems. This way when data is requested, copies of the data sent to clients is "watermarked" with who/what/where/when the data is accessed by. There will always be data leakage of some form. Document management/entitlement systems integration with watermarking at least helps you track it and plug it. Given we already have it that people use their PDA/phone for both business and personal it is unrealistic to be able to limit the use of the client to specific applications. All you can do is secure it from infection. Of course proactive people would have their clients run various "Anti-badstuff" software with automatic updates. Other people will wait to their client connects to an application (personal banking or work portal) that scans the client. Those clients with "good hygiene" have access. Those who do not are warned and given options to clean their mess. Don't read the current NAC amd NAD solutions from Cisco and Microsoft respectively on this. I am thinking more of a solution like WholeSecurity. I am not presenting the endgame as a utopia, just as what appears to me to be a logical progression of things to come. The threat profile in the application space will just get very ugly. My imagination comes up with rogue EJBs on Java Application Servers. Like electricity, as a utility all the network will need to be is highly available and clean from line noise and other interference. Am I thinking heresy ? - Joe ======================== Subject: RE: [fw-wiz] The Death Of A Firewall Date: Thu, 27 Oct 2005 16:31:21 -0400 From: <hugh_fraser () dofasco ca> To: <firewall-wizards () honor icsalabs com> There's a lot in the article that's left to speculation. I admire their internal network design; multiple security zones with clearly-defined services separated by application-layer firewalls, network ACLs to control traffic flows. Being able to accurately profile traffic traversing the network allows strict firewall rules and network ACLs, and greatly enhances the IDS or IPS ability to identify bogus traffic. He's also got an compartmentalized network that may allow him to contain a virus or worm, preventing, for instance, a workstation infected with a virus from spreading it to the core business servers. It's not clear what he's done with the clients. They're running a hardened OS, with the latest AV and presumably a firewall. He hasn't said they've got cart-blanche to run anything they want; perhaps the clients are locked down to a selection of approved apps, but they have broader selection than most of us would. With all the effort they've put in to the rest of their network, I have to assume that they've recognized the threats from the workstation and have instrumented and profiled them as well as they have elsewhere. Unfortunately, this isn't usually the case. It's the exceptions that get you. The users with extra rights that turn off the firewall, the admin people who've opened up some extra inbound ports in their firewall to allow a "special" app to work, the machines that for some reason didn't get the latest AV signature. And I can just imagine the complaints from our network group as their switches (which we rely on for traffic flow management, not security) start to see some of the pounding our perimeter firewall receives. So it's tough to understand why, with all the effort they've put in to hardening the interior, he would resist adding the incremental cost of one more firewall to protect the perimeter and potentially have the best of all worlds (a crunchy exterior and interior), unless it's really is for "Taking that crutch away has forced us to rethink our security model". I'd be inclined to find another way to sell that lesson. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Pedski Sent: Monday, October 17, 2005 9:30 PM To: James Paterson Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] The Death Of A Firewall James Paterson wrote:
http://www.securitypipeline.com/165700439 Be interesting to get the communities take on this article.
-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.12.8/163 - Release Date: 11/8/2005 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The Death Of A Firewall hugh_fraser (Nov 02)
- <Possible follow-ups>
- Re: The Death Of A Firewall sai (Nov 02)
- RE: The Death Of A Firewall Joe (Nov 17)