Firewall Wizards mailing list archives
RE: Firewall RISKS
From: "Sheldrake, Kevin" <kevin.sheldrake () baedsl co uk>
Date: Thu, 24 Jun 1999 09:50:49 +0100
I think that there has been some confusion that has clouded the argument. Here are my views: a) My definition of a firewall is based on application-level proxies. b) I support the notion of firewalls for most applications where two or more systems are to be connected together where the sets of users or the trust of the users differ between the systems. c) I have more of an open mind than believing that firewalls are the only way to provide security. d) I believe that firewalls _should_ be more secure than the daemons that they are protecting due to the following: i) daemons are generally quite complicated programs; ii) the proxies on the firewall should attempt to protect against attacks on the daemons; iii) Building a protocol interpreter is less complex than building a daemon that includes a protocol interpreter; iv) The proxy should consist solely of a protocol interpreter; v) the proxy should be tested by white-box and black-box methods using all known methods of attack; vi) the testing, therefore, of the proxy is more security targetted than the testing of a daemon (which would, inevitably, involve much testing of the daemon's functionality); vii) it is this targetted development and testing that I believe makes the firewalls I have described more secure than the daemons alone. e) Stephen P. Berry probably disagrees with d above. I am prepared to disagree with his views. f) I have no interest in continuing this discussion. It appears that Stephen P. Berry has repeatedly misunderstood my views and, probably, that I have misunderstood his. g) I agree that application-level daemons can be made more secure but I don't see anyone actually doing this to the level to which I would trust them completely. Kev Kevin Sheldrake CCIS Prototypes and Demonstrations British Aerospace Defence Systems [+44 | 0] 1202 408035, kevin.sheldrake () baedsl co uk
Current thread:
- Re: Firewall RISKS, (continued)
- Re: Firewall RISKS MIKE SHAW (Jun 15)
- Re: Firewall RISKS Tim Kramer (Jun 16)
- Re: Firewall RISKS Stephen P. Berry (Jun 15)
- RE: Firewall RISKS kevin . sheldrake (Jun 16)
- Re: Firewall RISKS Stephen P. Berry (Jun 20)
- RE: Firewall RISKS andrew . c . howard (Jun 16)
- RE: Firewall RISKS kevin . sheldrake (Jun 20)
- Re: Firewall RISKS Stephen P. Berry (Jun 21)
- RE: Firewall RISKS Sheldrake, Kevin (Jun 23)
- Re: Firewall RISKS Stephen P. Berry (Jun 23)
- RE: Firewall RISKS Sheldrake, Kevin (Jun 25)
- Re: Firewall RISKS MIKE SHAW (Jun 28)
- Re: Firewall RISKS MIKE SHAW (Jun 15)