Re: are firewalls limited to only protecting ehternet connections?

[ICMan <shane_mason () securecomputing com>]

Steven M. Bellovin wrote:
> In message <000001bdf148$b1086a60$0b6fe2a5 () Pent266 BITCOMM com>, "KirkAdams" wr
>
> > One reason I see this as important is for the impending "streaming video"
> > market that will be implemented. Basically the new "BlockBusters". Some
> > video servers claim 20,000 concurrent 1 Meg video streams capability. So ...
> > where do the switches come from to handle that. I've heard quotes of
> > blah,blah gig backplanes, since I was checking on this myself and I raised
> > the security question, (without any answers I might add). Since these
> > services are likely to be prime targets of BOTH the super hacks and the
> > existing cable thieves a good firewall would be REALLY important.
> >
> > OK, guys. That's the market potential. Any suggestions on something that'll
> > handle it?
>
> Yah -- no firewall at all.
>
> I'm perfectly serious.  Why should a video server need a firewall?
> You install firewalls to protect services -- ports -- that can't protect
> themselves.  Video servers are not general-purpose computers.  They
> don't need to run sendmail, they don't have regular users who pick
> guessable passwords, etc.  Taken to the limit, such a beast needs to
> listen on exactly two ports, and talk on one -- it needs to hear requests
> (probably from the Web server the customer is talking to), and it needs
> an administrative access port.  It's no trick to design those services to
> (a) use cryptographic authentication, and/or (b) to be on a physically
> different wire than the video output.


Mr. Bellovin,

Sprint is brining fibre to the home.  Thus, we can expect multiple
services all on the same wire, not on different wires.  The future is
mutable, but there is definately a tangible direction.  All media on one
wire.

It is possible that each type of device might have it's own signaling
mechanism.  Thus video will signal differently than audio will signal
differrently than data.  But more and more, with faster and faster
physical signalling devices, I think that developers of communications
standards are going to be asking themselves, "Why dont we all just use
the same transport mechanism?  It will save cost, because expensive, one
off signalling hardware will not be required for a particular service
catagory.  The resulting increase in mass producable goods will reduce
the cost of bringing new technologies to market."

If all signalling goes digital, for whatever reason, then television,
video phones, and data networks will likely all use the same signalling
mechanism.

It may be that this is not what the future holds.  But everyone is all
hot and heavy for IP as a delivery tool for all types of media.  This
trend is not likely to disappear.  I figure that, without direct and
concerted intervention by such people as security experts, it will
snowball; every concievable communication protocol being delivered by a
TCP/IP transport mechanism.

And even if the developers of such services manage to throw the
marketting-imposed-deadline yoke off their shoulders long enough to
employ cryptographic authentication in thier protocols, what is the
likelihood that they will adopt open standards?  It is probable that,
unless we can raise more concern over security than is currently felt,
that such products will be produced with glaring holes. (More likely is
that many services will be developed to run on NT, using the NT crypto
API <shudder!>.  No chance of anyone breaking into that!)

Although my hope is that more security saavy will be infused into the
software development cycles of companies producing these noew
communications goodies, I think that Firewalls, or at least "network
perimiter defense devices", are going to relied on more and more as a
protection mechanism for these services.

ICMan