Don't Trust a Firewall

[mea culpa <jericho () DIMENSIONAL COM>]

From: darek.milewski () us pwcglobal com


http://www.zdnet.com/filters/printerfriendly/0,6061,2334963-50,00.html
Don't Trust a Firewall
By Frank J. Derfler, Jr., PC Magazine
September 17, 1999 7:21 AM PT

At this week's NetWorld+Interop trade show in Atlanta, network security is
on everyone's mind.  Headlines about Hotmail's security hole and potential
security problems with WebTV are fresh, and there's talk of the
inevitability of network penetration attempts.

And the experts are concerned about the reliability of existing
technologies to thwart intruders.  "Firewalls are dinosaurs!" says Robert
Moskowitz, senior technical director of the International Computer
Security Association. He was seated on a panel with Marcus Ranum, CEO of
Network Flight Recorder and maker of the first commercial firewall product
in 1989. "There are so many holes in firewalls for special applications
that I no longer trust the technology," Ranum said.

Sacrificial Systems What's the solution? The experts speaking on panels
throughout the conference emphasized that companies should implement
standard administrative security practices because most saboteurs come
from the inside. Experts also suggested putting on the public Internet
sacrificial systems that you expect to be abused but that don't have any
physical network connection to your business systems.

No one has a silver bullet for stopping intruders and saboteurs, but
several companies are offering products to slow them down. A new product
called Packeteyes, from SBE, consists of a small router able to make one
T1 connection that examines and reports on the specific content of every
packet it passes. Running on any Microsoft Windows PC, Packeteyes uses
graphical tools to help administrators create policies concerning what
sources may access specific data and applications.  Policy management is a
point defense against attack.

The experts are positive about virtual private networking (VPN) and IPSec
technologies. VPN products are everywhere on the show floor, and the VPN
flood has spawned associated products. VPN value-added services, including
bandwidth management and extensive end-user support, are available from
companies as diverse as AT&T and TimeStep. A small startup called Blue
Steel Networks demonstrated an add-in hardware processor that takes over
IPSec number-crunching from a server's CPU.

[snip..]