Firewall Wizards mailing list archives
Re: Forrester Research foresees death of firewalls
From: Adam Shostack <adam () homeport org>
Date: Wed, 16 Jun 1999 22:42:47 -0400
Firewalls often become the core of a company's security model, which is absolutely broken. The firewall is not where the data is unless the firewall is a bottleneck, or an excuse to build a somewhat more secure data center. Building that more secure data center in a firewall makes the firewall too complex, and requires that you do things that cause real firewall gurus to cut their hair and take jobs as management consultants. (You know who you are.) The Forrester report seems to raise a lot of good points. Not that certificates, ldap, x.509 are going to offer security, but seeing security pushed onto the application servers, which are essentially open to the world today anyway, is probably a good direction. It will be expensive and painful. People will get attacked left right and center. But thats happening today, and firewalls are not helping much. When someone puts Netbus into the payload of an email virus, and adds some web logic, then firewalls become even less useful. (By web logic, I mean start putting the control channel on web pages, and have netbus hit the web page every 2-4 hours. Each web page takes NB to a new one. Or you stego the control into images. Lots of ways to do this, and save you the trouble of establishing inbound connections through the firewall.) We need to start looking at content security at the application layer; in this case, the problem is mail. What are you doing to secure your mail servers? If the problem is that you need to expose your oracle db to the world to move orders, how do you secure it? Firewalls enter into the picture only as a perimiter tool; you ensure data only gets in on two or three points. The real security will need to be on the servers. Lets stop trying to pretend firewalls are anything more than a stopgap. Adam | Finally, in a sort of footnote to the article, there is a small paragraph | titled "Firewalls are overblown." "According to Jeff Schiller, security | area director for the Internet Engineering Task Force, 'Firewalls have set | the security industry back years. Not only are many firewalls riddled with | holes, but they assume that there is a perimeter at the edge of the company, | which just isn't true for the virtual corporation.' Firewalls aren't all | that bad -- they have provided a stopgap measure for initial Internet | security problems. However, we concur with Shiller [sic] that firewalls are | no panacea. But before they get ripped out entirely, firewalls will | continue in their roles as enforcement points." -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Forrester Research foresees death of firewalls SMITH, Michael @Ottawa (Jun 15)
- Re: Forrester Research foresees death of firewalls Rama Kant (Jun 15)
- Re: Forrester Research foresees death of firewalls Rick Smith (Jun 16)
- Re: Forrester Research foresees death of firewalls Technical Incursion Countermeasures (Jun 16)
- Re: Forrester Research foresees death of firewalls Tim Kramer (Jun 16)
- Re: Forrester Research foresees death of firewalls Adam Shostack (Jun 20)
- Re: Forrester Research foresees death of firewalls David LeBlanc (Jun 20)
- Re: Forrester Research foresees death of firewalls Adam Shostack (Jun 21)
- Re: Forrester Research foresees death of firewalls David LeBlanc (Jun 20)
- Re: Forrester Research foresees death of firewalls Kevin T. Shivers (Jun 20)
- Re: Forrester Research foresees death of firewalls Paul D. Robertson (Jun 20)
- Re: Forrester Research foresees death of firewalls Joseph S D Yao (Jun 21)
- <Possible follow-ups>
- RE: Forrester Research foresees death of firewalls sean . kelly (Jun 16)
- Re: Forrester Research foresees death of firewalls Robert Graham (Jun 20)
- Re: Forrester Research foresees death of firewalls Bennett Todd (Jun 21)
- Re: Forrester Research foresees death of firewalls David LeBlanc (Jun 21)
- Re: Forrester Research foresees death of firewalls Bennett Todd (Jun 21)
- RE: Forrester Research foresees death of firewalls sean . kelly (Jun 20)
(Thread continues...)
- Re: Forrester Research foresees death of firewalls Rama Kant (Jun 15)