Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Forrester Research foresees death of firewalls

From: Adam Shostack <adam () homeport org>
Date: Wed, 16 Jun 1999 22:42:47 -0400
Firewalls often become the core of a company's security model, which
is absolutely broken.  The firewall is not where the data is unless
the firewall is a bottleneck, or an excuse to build a somewhat more
secure data center.  Building that more secure data center in a
firewall makes the firewall too complex, and requires that you do
things that cause real firewall gurus to cut their hair and take
jobs as management consultants. (You know who you are.)

The Forrester report seems to raise a lot of good points.  Not that
certificates, ldap, x.509 are going to offer security, but seeing
security pushed onto the application servers, which are essentially
open to the world today anyway, is probably a good direction.

It will be expensive and painful.  People will get attacked left right 
and center.  But thats happening today, and firewalls are not helping
much.  When someone puts Netbus into the payload of an email virus,
and adds some web logic, then firewalls become even less useful.  (By
web logic, I mean start putting the control channel on web pages, and
have netbus hit the web page every 2-4 hours.  Each web page takes NB
to a new one.  Or you stego the control into images.  Lots of ways to
do this, and save you the trouble of establishing inbound connections
through the firewall.)

We need to start looking at content security at the application layer; 
in this case, the problem is mail.  What are you doing to secure your
mail servers?  If the problem is that you need to expose your oracle
db to the world to move orders, how do you secure it?

Firewalls enter into the picture only as a perimiter tool; you ensure
data only gets in on two or three points.  The real security will need 
to be on the servers.  Lets stop trying to pretend firewalls are
anything more than a stopgap.

Adam

| Finally, in a sort of footnote to the article, there is a small paragraph
| titled "Firewalls are overblown."  "According to Jeff Schiller, security
| area director for the Internet Engineering Task Force, 'Firewalls have set
| the security industry back years.  Not only are many firewalls riddled with
| holes, but they assume that there is a perimeter at the edge of the company,
| which just isn't true for the virtual corporation.'  Firewalls aren't all
| that bad -- they have provided a stopgap measure for initial Internet
| security problems.  However, we concur with Shiller [sic] that firewalls are
| no panacea.  But before they get ripped out entirely, firewalls will
| continue in their roles as enforcement points."


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume
Previous By Date Next
Previous By Thread Next

Current thread: