Re: paloalto firewall

[Gene Spafford <spaf () CERIAS PURDUE EDU>]

Simson Garfinkel and I actually designed this same mechanism for a
government agency to use in their firewall in the mid 1990s -- cause
the firewall to act as a proxy.   The connections are encrypted from
client to firewall, and from firewall to end host.  However, the
firewall can inspect the contents of the stream.

Why do this?   Because it was a government agency -- they had strict
policies about what employees could do at work, they were concerned
about viruses and hacking coming in unexamined, and they were very
concerned about an insider exfiltrating sensitive information (it was
not a classified environment).  Those were all valid concerns, and
they were supported by law and regulation.

In an academic environment you may have the same concerns, but you may
not have the same level of authority over your user population
activities.  Perhaps you do on the administrative side, but not likely
in the case of faculty or students.   In different commercial settings
you will have both, too.

So, the PaloAlto firewall approach (and other means to enable
inspection of streams to the "outside") may not be appropriate in each
environment.   That's true of most tools.   But that doesn't mean it
is "broken" or "not secure."   It means it does what it is intended to
do to support a particular type of policy in certain environments.
A firewall that passes all traffic when configured to do so is not
broken, nor is one that does not pass any packets unless they are
signed using IPsec by a known entity.  Those are simply different
policies.

BTW, I have no connection with PaloAlto -- I have no idea if they came
up with the design independently, or whether this is someone who read
our paper or interacted with the government agency.   It probably
doesn't make a difference, unless they tried to patent it. :-)

--spaf