Firewall Wizards mailing list archives
Re: encapsulated protocols?
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Sat, 07 Feb 1998 11:09:06 -0500
Itai Dor-on writes:
It is not practical, under the current implementation for any vendor to support all known Internet service that are Home made. Thus, Security handling should rely on the specific software vendor Any vendor writing applications that are Internet aware should take security exploits in his product under consideration. and support it.
Itai's hit the real issue. Applications that have any kind of security relevance should be self-secured. They should be developed so that they can withstand attack on their own. I'm not sure what it's going to take to get vendors of s/w to recognize this (presumably a cattle prod or a lot of money) and get with the program. When/if(?) the development tools exist to make it easier to create secured connections maybe then developers will stop just using the default. I believe it is essential that applications become self-secured. It's the only way to handle scaleability correctly. With a firewall, if the firewall is responsible for analysis of every app going through it, you're always going to be on the bad end of performance. If the applications are OK, then the firewall can basically be replaced with a simpler gateway that only handles open protocols (e.g.: SMTP) that are known problems and are "public" data. You can scale your performance very cleanly if the systems at your boundary are only doing broad-brush security and network level control -- leave the complex stuff to the host software on the user's desktop where it belongs. Of course, it'll probably never happen. :( My secret plan for securing the Internet had one big fatal flaw: you start by scrapping the complete set of applications that we're running and starting over from scratch. First you design a new socket API with options for application level switching, authentication, encryption negotiation, redirection(under authentication) and reconnection(while you're at it!). Then you scrap TELNET, SMTP, FTP, NNTP, HTTP, and all that crap and rewrite them to use some sane underpinnings. And you expose the implementation of those underpinnings to everyone to hammer on until they look rock solid. The final phase is when we convince the backbone interconnects to put filters in place to block the remaining SMTP, FTP, TELNET, and HTTP traffic. :) Bwaahaaahaaaaaaaa!!!! We *COULD* make huge improvements to the Internet, security-wise but they cannot be incremental or backwards compatible. With the amount of money people are spending on half-assed solutions (firewalls, IDS', VPNs, authentication tokens, etc) we could easily have just fixed things, if we'd been willing to put aside vendor self-interest and take the whole thing offline for about a year. :) Ok, I'm insane, but if I was King of the Internet, that's what I'd do. :) We need to convince Ted Turner to give a billion dollars to the Internet-2 project. Or maybe Bill Gates. :) mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Effect of full disk on logging under FW-1 v 2.1?, (continued)
- Effect of full disk on logging under FW-1 v 2.1? Bret Watson (Feb 09)
- Re: IPsec and firewalls Ted Doty (Feb 09)
- Re: encapsulated protocols? Aleph One (Feb 07)
- Re: encapsulated protocols? Adam Shostack (Feb 07)
- Re: encapsulated protocols? Larry J. Hughes Jr. (Feb 09)
- Re: encapsulated protocols? Bennett Todd (Feb 04)
- Re: encapsulated protocols? Rick_Giering_at_mpg003 (Feb 06)
- Re: encapsulated protocols? Jeromie Jackson (Feb 07)
- Re: encapsulated protocols? dharris (Feb 06)
- Re: encapsulated protocols? Itai Dor-on (Feb 07)
- Re: encapsulated protocols? Marcus J. Ranum (Feb 09)
- Re: encapsulated protocols? Steve Bellovin (Feb 09)