Firewall Wizards mailing list archives
Re: are firewalls limited to only protecting ehternet connections?
From: ICMan <shane_mason () securecomputing com>
Date: Wed, 07 Oct 1998 17:50:19 -0400
Steven M. Bellovin wrote:
In message <000001bdf148$b1086a60$0b6fe2a5 () Pent266 BITCOMM com>, "KirkAdams" wrOne reason I see this as important is for the impending "streaming video" market that will be implemented. Basically the new "BlockBusters". Some video servers claim 20,000 concurrent 1 Meg video streams capability. So ... where do the switches come from to handle that. I've heard quotes of blah,blah gig backplanes, since I was checking on this myself and I raised the security question, (without any answers I might add). Since these services are likely to be prime targets of BOTH the super hacks and the existing cable thieves a good firewall would be REALLY important. OK, guys. That's the market potential. Any suggestions on something that'll handle it?Yah -- no firewall at all. I'm perfectly serious. Why should a video server need a firewall? You install firewalls to protect services -- ports -- that can't protect themselves. Video servers are not general-purpose computers. They don't need to run sendmail, they don't have regular users who pick guessable passwords, etc. Taken to the limit, such a beast needs to listen on exactly two ports, and talk on one -- it needs to hear requests (probably from the Web server the customer is talking to), and it needs an administrative access port. It's no trick to design those services to (a) use cryptographic authentication, and/or (b) to be on a physically different wire than the video output.
Mr. Bellovin, Sprint is brining fibre to the home. Thus, we can expect multiple services all on the same wire, not on different wires. The future is mutable, but there is definately a tangible direction. All media on one wire. It is possible that each type of device might have it's own signaling mechanism. Thus video will signal differently than audio will signal differrently than data. But more and more, with faster and faster physical signalling devices, I think that developers of communications standards are going to be asking themselves, "Why dont we all just use the same transport mechanism? It will save cost, because expensive, one off signalling hardware will not be required for a particular service catagory. The resulting increase in mass producable goods will reduce the cost of bringing new technologies to market." If all signalling goes digital, for whatever reason, then television, video phones, and data networks will likely all use the same signalling mechanism. It may be that this is not what the future holds. But everyone is all hot and heavy for IP as a delivery tool for all types of media. This trend is not likely to disappear. I figure that, without direct and concerted intervention by such people as security experts, it will snowball; every concievable communication protocol being delivered by a TCP/IP transport mechanism. And even if the developers of such services manage to throw the marketting-imposed-deadline yoke off their shoulders long enough to employ cryptographic authentication in thier protocols, what is the likelihood that they will adopt open standards? It is probable that, unless we can raise more concern over security than is currently felt, that such products will be produced with glaring holes. (More likely is that many services will be developed to run on NT, using the NT crypto API <shudder!>. No chance of anyone breaking into that!) Although my hope is that more security saavy will be infused into the software development cycles of companies producing these noew communications goodies, I think that Firewalls, or at least "network perimiter defense devices", are going to relied on more and more as a protection mechanism for these services. ICMan
Current thread:
- Re: are firewalls limited to only protecting ehternet connections? Darren Reed (Oct 01)
- RE: are firewalls limited to only protecting ehternet connections? KirkAdams (Oct 06)
- Re: are firewalls limited to only protecting ehternet connections? Darren Reed (Oct 13)
- <Possible follow-ups>
- Re: are firewalls limited to only protecting ehternet connections? Steven M. Bellovin (Oct 07)
- Re: are firewalls limited to only protecting ehternet connections? R. DuFresne (Oct 07)
- Re: are firewalls limited to only protecting ehternet connections? ICMan (Oct 09)
- Re: are firewalls limited to only protecting ehternet connections? Steven M. Bellovin (Oct 07)
- Re: are firewalls limited to only protecting ehternet connections? Steven M. Bellovin (Oct 09)
- RE: are firewalls limited to only protecting ehternet connections? KirkAdams (Oct 06)