A question of direction

[Jeff Maddox <jeff.maddox () ssds com>]

All:

The discussions I have seen on this list so far have been informative and
lively without descending into invective as I had begun to see more and more
on the firewalls list and so... I would like to pose a question, where do we
go from here? MJR's statement last week about the limitations of the current
firewall products and concepts struck a positive note in me but I found
myself unable to clearly articulate a solution. We have already seen that
implementing individual system security is simply too unwieldy and therefore
will fail as someone would forget something or refuse something out of spite
or cluelesness and wind up compromising everyone.  It is also quite clear
that application level security would always significantly lag application
development unless it is integrated within the development environment and
not removable by the developer in the interest of fast code building or
application function. 

But what is the answer or are the answers? Is it time to develop Bruce
Stirling's ICE? A series of network resident applications that will monitor
all network communications for authorized activity and block it at the
firewall but be smart enough to recognize a legitimate application and user?
But it would have to be absolutly correct in admiting legitimate apps and
there's that pesky lag time thing again. Also users would have to have
absolutely secure identity systems and I haven't seen one yet that cannot
either be hacked or will finally fail on its own or is simply to damn tough
to administer for large numbers of people. (Secure card's holes and battery
life, or just key administration for 260 million people, for example) Really
strong encryption with digital signature would help but the way the FEDs are
acting, it is going to be illegal soon to have good encryption. Would you
trust them to keep your key secret? Or worse, would you trust them to find
it? (Although this is another thread, I think that if the Feds really do try
to set up accessable key storage they are about to find out the limitations
of data retreival that anyone who has worked with a credit card company
already knows)

  I make my living putting firewalls in for people. I would rather make it
doing audit's and risk analysis for entire systems so that I could point to
customers and say "they have real security because they did it right." But,
when I suggest that the customer should do audits and I recommend greater
internal security after seeing their networks while installing the firewall
system, most customers are not interested. They are willing to pay for a
firewall and administration but don't believe in the need for much, much
more and even when I explain the risks of doing nothing, can't really agree
to spend the dollars. I've told them to not hire me if they think that I am
just trying to get more work, get a different consultant and they still don't.
Jeff Maddox
SSDS, Inc.
Austin, Texas
jeff.maddox () ssds com