Firewall Wizards mailing list archives
Re: Time for a new FWTK?
From: Bennett Todd <bet () rahul net>
Date: Fri, 28 Nov 1997 10:48:34 -0800
1997-11-28-17:43:22 Craig Brozefsky:
1997-11-28-12:09:01 Bennett Todd:It's early to say yet whether this implementation will be the successful pioneer that carries us through this next revolution, but it certainly shows the direction.I don't think NFR is positioned as a replacement for firewalls, or whatever the fruit of the last "revolution" was.
Sorry! Very, very sloppy wording on my part; I was making that up as I went along, and ended up somewhere different from where I started. I have _got_ to start proofreading more carefully before I ship. So, to try again. I agree 100% that we don't have the technology to implement an adaptive, automatically reactive firewall today. However, we are just beginning to get the kind of flexible tools that can let us (a) experiment with different views, extracts, subsets of the data flowing over the wire, to better characterize ``normal'', ``typical'' behavior; (b) experiment with various strategies for setting thresholds that define various sorts of out-of-bound behavior; and (c) as we find good alarm generation strategies and thresholds, hook them up to automated response procedures. Work is yet to be done, but I think the tool for the job will look a good bit like NFR. In fact, it may be NFR:-). As for my ``next revolution'' blather, yup, sounds like I meant ``replace firewalls''. Nope, that's not what I had in mind, only what I wrote:-). What I was thinking was that firewalls defined a new tool to use for security management. They were an exciting and novel development when the first papers and implementations started rolling out. For several years thereafter it required a multi-discipline expert, strong in security programming, networking, OS configuration, and so on to set up a firewall. Then Cheswick&Bellovin came out, then Chapman&Zwicky, then various nicely-packaged portable easy-to-use tools, then the LDP Firewall HOWTO, and all of a sudden any random shmoo can make a state-of-the-art firewall out of some used bubble-gum and a couple of asphault shingles, using only tools found around the home. The magic and mystery has gone out of it. Firewalls are and will remain terrifically valuable tools in our repetoire, until and unless we get rock-solid deployed-to-every-desktop security and potent distributed admin tools. But we're due for another revolution; we've absorbed and digested the last one and it's time to figure out the next step. I think the next step is going to involve getting a better grip on the bits that fly over our wires, and learn out to manage them, and automatically respond to changes in them. And the fantasy reactive firewall that learns and adapts suddenly seems within sight; I think it just got to be a bit nearer than a pipe-dream, more like ``coming soon to an OS near you''. -Bennett
Current thread:
- RE: Time for a new FWTK?, (continued)
- RE: Time for a new FWTK? Bret Watson (Nov 26)
- RE: Time for a new FWTK? Craig Brozefsky (Nov 27)
- Re: Time for a new FWTK? Bennett Todd (Nov 28)
- Re: Time for a new FWTK? Craig Brozefsky (Nov 28)
- Re: Time for a new FWTK? Marcus J. Ranum (Nov 28)
- New firewall paradigms, anyone ? Darren Reed (Nov 28)
- Re: New firewall paradigms, anyone ? Marcus J. Ranum (Nov 28)
- RE: Time for a new FWTK? Craig Brozefsky (Nov 27)
- RE: Time for a new FWTK? Bret Watson (Nov 26)
- RE: Time for a new FWTK? Bret Watson (Nov 28)
- RE: Time for a new FWTK? Marcus J. Ranum (Nov 28)
- Re: Time for a new FWTK? Mike Shaver (Nov 29)