Re: Forrester Research foresees death of firewalls

["Paul D. Robertson" <proberts () clark net>]

On Wed, 16 Jun 1999, Kevin T. Shivers wrote:

> > Forrester has written a report called "Turning Security On Its Head."  The
>
> God I hope my higher-ups don't see this.

If they're following this stuff at this stage, it's time to leave.

Changing the model significantly enough to allow host security to work 
means a lot more maturity in end-node auditing, network layer 
IDS/activity monitors, and movement away from a lot of traditonal 
systems.  IMO, you have to build networks to allow what Forrester sees, 
and just looking at the Y2K problem, I can't see older mission-critical 
machines being swapped out for a major paradyne shift in large 
corporations anytime soon.

> > of this restrictive approach, many firms are oblivious to new technologies
> > like application security middleware that enable easy access to corporate
> > systems.  These companies miss the eCommerce boat as more progressive
> > competitors seek alternative ways to open up the back-end."
>
> OK, forgive my daftness, but why would an e-commerce site need to have
> "easy access to corporate systems"?  I would think that e-commerce systems

Because most businesses buy and sell things.  The transactions need to 
go somewhere.  However, in a world where the power companies seem to be 
compromisable (and how much e-commerce is necessary with power 
distribution?) from the Internet, advocating less restriction seems 
reckless and silly to me.

> would be fairly self contained and could all be placed in front of the
> firewall or in the DMZ.  I would think that most of the commerce

You can't place your entire business in the DMZ, or it isn't a DMZ anymore.

> related systems (web server, inventory, payment and order systems, etc.) 
> of big e-commerce sites like amazon.com would be this way and the rest of
> the systems (corporate, accounting, IT, what have you) would be well
> protected behind a firewall or two.

"Well protected" apparently means many things to many people.

> > Expanding on the notion of sharing responsibility, the report says,
> > "Deploying firewalls to deny bad connections, inspect content, authenticate
> > users, and encrypt traffic will result in network traffic grinding to a

Despite all the negativity in the above, it's also what's enabling 
security, allbeit not in a big way.

> > halt.  Instead, distribute protection throughout the enterprise using
> > routers, Web servers, and application servers.  Unite these components
> > through hooks to x.509 certificates, LDAP directories, and policy management
> > systems like Axent's Enterprise Security Manager."

None of which address the real problem.  We can't even get MAC and 
compartments in firwalls.  How exactly do Forrester imagine that an x.509 
certificate will be protected in their "open network"?  Wonder if Axent 
has any relationship with Forrester?  This seems reminicent of the old 
Gartner stuff from days gone by.

> I don't know about you all, but my network operates just fine with my
> firewall doing everything listed above and more.  
>
> I'd also like to know where Forrester grows their money off of trees since
> my funds certainly are limited.  I agree with people who say that

Almost certainly some of it is coming from the same thing that makes 
brokerages money.  Selling a new scheme is like selling a new stock, you 
get to make more opinions and gain more money.  Doesn't matter if the old 
stock is making money, since you get the transaction fees.

I don't entirely disagree that things are going this way, I'm just not 
convinced that Forrester is serving anyone's interests other than their 
own with overhyped zeal for open networks.

I don't see my firewalls leaving anytime soon.  In fact, I expect to add 
interal firewalling increasingly, and just got the approval for setting 
up a *bunch* of new proxy servers.

Let's look at reality for a moment:

Educational institutions used to be completely open net-wise.  Now a good 
portion of them are firewalled at at least strategic points.  Is 
Forrester suggesting that they've taken a step backwards?


> firewalls are not enough and that more measures are needed, but a firewall
> protecting the front gate seems to be a good start, and is a lot cheaper
> and a lot less time consuming than tryng to secure everything in the
> entire enterprise.

Especially when it's an enterprise and not a small company.

> I'd also like to know how they fit 50 hours into a day to accomplish the
> feats needed to unite everything like this together. :)

Forrester isn't a big company, and probably doesn't have a lot of 
computing assets to protect, but I wonder if they've headed their own 
advice yet?  Oh, what do you know?  A traceroute to the authoritative 
nameserver in their domain is blocked.  I suppose screening routers don't 
"count" in their book?

> > that bad -- they have provided a stopgap measure for initial Internet
> > security problems.  However, we concur with Shiller [sic] that firewalls are
> > no panacea.  But before they get ripped out entirely, firewalls will
> > continue in their roles as enforcement points."
>
> I don't think that firewalls will ever go away, as many other people on
> this list have stated.  A firewall is part of a strong security backbone
> that a company connected to the internet needs to have.  Or at least that
> is what has been pounded into my head my countless people, articles,
> posting, books, etc.  Just call me a product of peer pressure. :)
>
> kts
>
> --
> Kevin T. Shivers                 NT & UNIX Systems Mutiliator

                            You may want to consider marketing as a staple
                            of your next educational experience ;)

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280