Firewall Wizards mailing list archives
Re: Forrester Research foresees death of firewalls
From: "Paul D. Robertson" <proberts () clark net>
Date: Sun, 20 Jun 1999 18:39:46 -0400 (EDT)
On Wed, 16 Jun 1999, Kevin T. Shivers wrote:
Forrester has written a report called "Turning Security On Its Head." TheGod I hope my higher-ups don't see this.
If they're following this stuff at this stage, it's time to leave. Changing the model significantly enough to allow host security to work means a lot more maturity in end-node auditing, network layer IDS/activity monitors, and movement away from a lot of traditonal systems. IMO, you have to build networks to allow what Forrester sees, and just looking at the Y2K problem, I can't see older mission-critical machines being swapped out for a major paradyne shift in large corporations anytime soon.
of this restrictive approach, many firms are oblivious to new technologies like application security middleware that enable easy access to corporate systems. These companies miss the eCommerce boat as more progressive competitors seek alternative ways to open up the back-end."OK, forgive my daftness, but why would an e-commerce site need to have "easy access to corporate systems"? I would think that e-commerce systems
Because most businesses buy and sell things. The transactions need to go somewhere. However, in a world where the power companies seem to be compromisable (and how much e-commerce is necessary with power distribution?) from the Internet, advocating less restriction seems reckless and silly to me.
would be fairly self contained and could all be placed in front of the firewall or in the DMZ. I would think that most of the commerce
You can't place your entire business in the DMZ, or it isn't a DMZ anymore.
related systems (web server, inventory, payment and order systems, etc.) of big e-commerce sites like amazon.com would be this way and the rest of the systems (corporate, accounting, IT, what have you) would be well protected behind a firewall or two.
"Well protected" apparently means many things to many people.
Expanding on the notion of sharing responsibility, the report says, "Deploying firewalls to deny bad connections, inspect content, authenticate users, and encrypt traffic will result in network traffic grinding to a
Despite all the negativity in the above, it's also what's enabling security, allbeit not in a big way.
halt. Instead, distribute protection throughout the enterprise using routers, Web servers, and application servers. Unite these components through hooks to x.509 certificates, LDAP directories, and policy management systems like Axent's Enterprise Security Manager."
None of which address the real problem. We can't even get MAC and compartments in firwalls. How exactly do Forrester imagine that an x.509 certificate will be protected in their "open network"? Wonder if Axent has any relationship with Forrester? This seems reminicent of the old Gartner stuff from days gone by.
I don't know about you all, but my network operates just fine with my firewall doing everything listed above and more. I'd also like to know where Forrester grows their money off of trees since my funds certainly are limited. I agree with people who say that
Almost certainly some of it is coming from the same thing that makes brokerages money. Selling a new scheme is like selling a new stock, you get to make more opinions and gain more money. Doesn't matter if the old stock is making money, since you get the transaction fees. I don't entirely disagree that things are going this way, I'm just not convinced that Forrester is serving anyone's interests other than their own with overhyped zeal for open networks. I don't see my firewalls leaving anytime soon. In fact, I expect to add interal firewalling increasingly, and just got the approval for setting up a *bunch* of new proxy servers. Let's look at reality for a moment: Educational institutions used to be completely open net-wise. Now a good portion of them are firewalled at at least strategic points. Is Forrester suggesting that they've taken a step backwards?
firewalls are not enough and that more measures are needed, but a firewall protecting the front gate seems to be a good start, and is a lot cheaper and a lot less time consuming than tryng to secure everything in the entire enterprise.
Especially when it's an enterprise and not a small company.
I'd also like to know how they fit 50 hours into a day to accomplish the feats needed to unite everything like this together. :)
Forrester isn't a big company, and probably doesn't have a lot of computing assets to protect, but I wonder if they've headed their own advice yet? Oh, what do you know? A traceroute to the authoritative nameserver in their domain is blocked. I suppose screening routers don't "count" in their book?
that bad -- they have provided a stopgap measure for initial Internet security problems. However, we concur with Shiller [sic] that firewalls are no panacea. But before they get ripped out entirely, firewalls will continue in their roles as enforcement points."I don't think that firewalls will ever go away, as many other people on this list have stated. A firewall is part of a strong security backbone that a company connected to the internet needs to have. Or at least that is what has been pounded into my head my countless people, articles, posting, books, etc. Just call me a product of peer pressure. :) kts -- Kevin T. Shivers NT & UNIX Systems Mutiliator
You may want to consider marketing as a staple of your next educational experience ;) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Forrester Research foresees death of firewalls SMITH, Michael @Ottawa (Jun 15)
- Re: Forrester Research foresees death of firewalls Rama Kant (Jun 15)
- Re: Forrester Research foresees death of firewalls Rick Smith (Jun 16)
- Re: Forrester Research foresees death of firewalls Technical Incursion Countermeasures (Jun 16)
- Re: Forrester Research foresees death of firewalls Tim Kramer (Jun 16)
- Re: Forrester Research foresees death of firewalls Adam Shostack (Jun 20)
- Re: Forrester Research foresees death of firewalls David LeBlanc (Jun 20)
- Re: Forrester Research foresees death of firewalls Adam Shostack (Jun 21)
- Re: Forrester Research foresees death of firewalls David LeBlanc (Jun 20)
- Re: Forrester Research foresees death of firewalls Kevin T. Shivers (Jun 20)
- Re: Forrester Research foresees death of firewalls Paul D. Robertson (Jun 20)
- Re: Forrester Research foresees death of firewalls Joseph S D Yao (Jun 21)
- <Possible follow-ups>
- RE: Forrester Research foresees death of firewalls sean . kelly (Jun 16)
- Re: Forrester Research foresees death of firewalls Robert Graham (Jun 20)
- Re: Forrester Research foresees death of firewalls Bennett Todd (Jun 21)
- Re: Forrester Research foresees death of firewalls David LeBlanc (Jun 21)
- Re: Forrester Research foresees death of firewalls Bennett Todd (Jun 21)
- RE: Forrester Research foresees death of firewalls sean . kelly (Jun 20)
- RE: Forrester Research foresees death of firewalls sean . kelly (Jun 21)
- RE: Forrester Research foresees death of firewalls Doug Hughes (Jun 22)
- Re: Forrester Research foresees death of firewalls Stephen P. Berry (Jun 22)
- RE: Forrester Research foresees death of firewalls Doug Hughes (Jun 22)
- FW: Forrester Research foresees death of firewalls Harvey Nusz (Jun 21)
(Thread continues...)
- Re: Forrester Research foresees death of firewalls Rama Kant (Jun 15)