Firewall Wizards mailing list archives
A question of direction
From: Jeff Maddox <jeff.maddox () ssds com>
Date: Fri, 10 Oct 1997 14:22:15 -0700
All: The discussions I have seen on this list so far have been informative and lively without descending into invective as I had begun to see more and more on the firewalls list and so... I would like to pose a question, where do we go from here? MJR's statement last week about the limitations of the current firewall products and concepts struck a positive note in me but I found myself unable to clearly articulate a solution. We have already seen that implementing individual system security is simply too unwieldy and therefore will fail as someone would forget something or refuse something out of spite or cluelesness and wind up compromising everyone. It is also quite clear that application level security would always significantly lag application development unless it is integrated within the development environment and not removable by the developer in the interest of fast code building or application function. But what is the answer or are the answers? Is it time to develop Bruce Stirling's ICE? A series of network resident applications that will monitor all network communications for authorized activity and block it at the firewall but be smart enough to recognize a legitimate application and user? But it would have to be absolutly correct in admiting legitimate apps and there's that pesky lag time thing again. Also users would have to have absolutely secure identity systems and I haven't seen one yet that cannot either be hacked or will finally fail on its own or is simply to damn tough to administer for large numbers of people. (Secure card's holes and battery life, or just key administration for 260 million people, for example) Really strong encryption with digital signature would help but the way the FEDs are acting, it is going to be illegal soon to have good encryption. Would you trust them to keep your key secret? Or worse, would you trust them to find it? (Although this is another thread, I think that if the Feds really do try to set up accessable key storage they are about to find out the limitations of data retreival that anyone who has worked with a credit card company already knows) I make my living putting firewalls in for people. I would rather make it doing audit's and risk analysis for entire systems so that I could point to customers and say "they have real security because they did it right." But, when I suggest that the customer should do audits and I recommend greater internal security after seeing their networks while installing the firewall system, most customers are not interested. They are willing to pay for a firewall and administration but don't believe in the need for much, much more and even when I explain the risks of doing nothing, can't really agree to spend the dollars. I've told them to not hire me if they think that I am just trying to get more work, get a different consultant and they still don't. Jeff Maddox SSDS, Inc. Austin, Texas jeff.maddox () ssds com
Current thread:
- A question of direction Jeff Maddox (Oct 10)