Re: This just in: Firewalls are obsolete

[Gadi Evron <ge () linuxbox org>]

Jonatan B wrote:
> Please use the brand new "ACL Technology" instead.
>
> > From the article:
> "... By defining simple ACLs, we further isolate our backend servers."
>
> http://www.securitypipeline.com/shared/article/printablePipelineArticle.jhtml?articleId=165700439

Ignoring this (not you) for a minute, there is some serious research 
done in the UK in the Jericho group which is called "deperimeterization".

Basically, they say, and I am probably mis-representing their ideas, 
that we have been poking holes in the "so-called" perimeter for years now.
First with needed ports for services (80, 21, 25, etc.).
Then (again, according to them) when almost everyone moved to Microsoft 
they were forced to run a flat network.. blocks in our networks simply 
couldn't work anymore. One example I heard was: Try for example to run 
active directory, a domain etc. Each require dozens of ports open. What 
you end up with is a swiss cheese.

Further, they say that if you spend the effort of securing laptops which 
will be used both on the Internet and on your organizational network, 
and determine that that is enough, why not do the same for the rest of 
your network?

If you can bring every (erm, every?!) machine in your network to where 
it is secure enough to be on the Internet, on its own.. then why do you 
still need a perimeter? According to them the only reason to still keep 
one would be management related.

I personally find the entire idea absurd and ridiculous. However, I know 
some of the people involved and they are extremely serious and smart 
people. They invested a lot of thinking into this so I must not be 
getting the big picture.
I may find this ridiculous, but I am far from vain enough to dismiss 
some of these people and their work so readily.. I must simply not be 
getting it.

My point is, however, that there is some research done in this area.. 
not directly related to your article, which may be of interest.
There are many ways of doing security, some of which may be wrong but 
others might simply not fit your philosophy.

I know some people who would fight to secure every bit and byte. Others 
who would indeed create a perimeter and declare everything inside 
trusted, etc. Non of these ways of thinking are wrong.. some might just 
fit you better than others for whatever specific task you have at hand.

However, getting back to this article, saying that we don't need 
Firewalls because we can use ACL's... is one of the silliest statements 
I ever heard. It's pretty much like saying.. "hey, we don't need a 
picket-fence, we can use a wooden-fence."

Another issue I'd like to address about this article is that the guy 
actually got something that I'd agree on. Network blocks are a pain.
I never give up on placing different segments of the network in separate 
environments, closing them from each other. Still, that is a major 
productivity problem, and the solutions are not always simple.

        Gadi.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave