Re: Time for a new FWTK?

[Bennett Todd <bet () rahul net>]

1997-11-28-17:43:22 Craig Brozefsky:
> 1997-11-28-12:09:01 Bennett Todd:
> > It's early to say yet whether this implementation will be the successful
> > pioneer that carries us through this next revolution, but it certainly
> > shows the direction.
>
> I don't think NFR is positioned as a replacement for firewalls, or 
> whatever the fruit of the last "revolution" was.  

Sorry! Very, very sloppy wording on my part; I was making that up as I
went along, and ended up somewhere different from where I started. I
have _got_ to start proofreading more carefully before I ship.

So, to try again.

I agree 100% that we don't have the technology to implement an adaptive,
automatically reactive firewall today.

However, we are just beginning to get the kind of flexible tools that
can let us

(a) experiment with different views, extracts, subsets of the data
    flowing over the wire, to better characterize ``normal'',
    ``typical'' behavior;

(b) experiment with various strategies for setting thresholds that
    define various sorts of out-of-bound behavior; and

(c) as we find good alarm generation strategies and thresholds, hook
    them up to automated response procedures.

Work is yet to be done, but I think the tool for the job will look a
good bit like NFR. In fact, it may be NFR:-).

As for my ``next revolution'' blather, yup, sounds like I meant
``replace firewalls''. Nope, that's not what I had in mind, only what I
wrote:-). What I was thinking was that firewalls defined a new tool to
use for security management. They were an exciting and novel development
when the first papers and implementations started rolling out. For
several years thereafter it required a multi-discipline expert, strong
in security programming, networking, OS configuration, and so on to set
up a firewall. Then Cheswick&Bellovin came out, then Chapman&Zwicky,
then various nicely-packaged portable easy-to-use tools, then the LDP
Firewall HOWTO, and all of a sudden any random shmoo can make a
state-of-the-art firewall out of some used bubble-gum and a couple of
asphault shingles, using only tools found around the home. The magic and
mystery has gone out of it. Firewalls are and will remain terrifically
valuable tools in our repetoire, until and unless we get rock-solid
deployed-to-every-desktop security and potent distributed admin tools.
But we're due for another revolution; we've absorbed and digested the
last one and it's time to figure out the next step. I think the next
step is going to involve getting a better grip on the bits that fly over
our wires, and learn out to manage them, and automatically respond to
changes in them. And the fantasy reactive firewall that learns and
adapts suddenly seems within sight; I think it just got to be a bit
nearer than a pipe-dream, more like ``coming soon to an OS near you''.

-Bennett