Educause Security Discussion mailing list archives
Re: paloalto firewall
From: Gene Spafford <spaf () CERIAS PURDUE EDU>
Date: Fri, 21 Dec 2007 12:08:06 -0500
Simson Garfinkel and I actually designed this same mechanism for a government agency to use in their firewall in the mid 1990s -- cause the firewall to act as a proxy. The connections are encrypted from client to firewall, and from firewall to end host. However, the firewall can inspect the contents of the stream. Why do this? Because it was a government agency -- they had strict policies about what employees could do at work, they were concerned about viruses and hacking coming in unexamined, and they were very concerned about an insider exfiltrating sensitive information (it was not a classified environment). Those were all valid concerns, and they were supported by law and regulation. In an academic environment you may have the same concerns, but you may not have the same level of authority over your user population activities. Perhaps you do on the administrative side, but not likely in the case of faculty or students. In different commercial settings you will have both, too. So, the PaloAlto firewall approach (and other means to enable inspection of streams to the "outside") may not be appropriate in each environment. That's true of most tools. But that doesn't mean it is "broken" or "not secure." It means it does what it is intended to do to support a particular type of policy in certain environments. A firewall that passes all traffic when configured to do so is not broken, nor is one that does not pass any packets unless they are signed using IPsec by a known entity. Those are simply different policies. BTW, I have no connection with PaloAlto -- I have no idea if they came up with the design independently, or whether this is someone who read our paper or interacted with the government agency. It probably doesn't make a difference, unless they tried to patent it. :-) --spaf
Current thread:
- Re: paloalto firewall Mike Corcoran (Dec 20)
- <Possible follow-ups>
- Re: paloalto firewall Alex (Dec 20)
- Re: paloalto firewall Jeff Holden (Dec 20)
- Re: paloalto firewall Mark Boolootian (Dec 20)
- Re: paloalto firewall Valdis Kletnieks (Dec 20)
- Re: paloalto firewall Chris Edwards (Dec 21)
- Re: paloalto firewall Jeff Holden (Dec 21)
- Re: paloalto firewall Gene Spafford (Dec 21)