Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Access Control, Authentication, and Perimeter Security

From: Alfonso De Gregorio <adg () speedcom it>
Date: Sat, 24 Mar 2001 15:56:59 +0100
On Wed, Mar 21, 2001 at 01:54:39PM -0600, Smith Gary-GSMITH1 wrote:

Hi,


      * How access control and authentication can (and must) supersede
      perimeter security designs


Agreed.


This seems extremely daft-brained to me. Access control and authentication
ARE part of perimeter security. Getting around perimeter security for access
control and authentication sounds like building The Great Wall of China and
putting in revolving doors as an afterthought. Or a direct connection
between a DMZ and the internal company net.


It's difficult for modern firewalls to perform filtering based on
network topology consideration, since:
        - the traditional notion of security perimeter is not still valid
          (insiders should not be still trusted);
        - it has become trivial for anyone to establish a new, unauthorized
          entry point to the network without the administrator's knowledge
          and consent (eg. through tunnels, wireless and dial-up access
          methods);
        - etc. etc.

Probably, in this context it's preferable to use distributed firewalls, where
security policy is defined centrally but enforced at each individual network
endpoint.

For mor information, please see:
        "Implementing a Distributed Firewall", by S. Ioannidis, 
         A. D. Keromytis, Steve M. Bellovin, J. M. Smith, CCS 2000, 
         Athens, Greece

        'Rather than relaying on the topological notion of "inside" and 
         "outside", as it is done in traditional firewalls, a distributed
        firewall assigns certain rights to whichever machine own the private
        keys corresponding to certain public keys. Thus, the right to connect
        to the http port on a company's internal Web server might begranted 
        to those machines having a certicate name of the form 
        *.goodfolks.org, rather than those machines that happen to be connected
        to an internal wire. A laptop directly connected to the Internet has
        the same level of protection as does a desktop in the organization's
        facility. Conversely, a laptop connected to the corporate net by a 
        visitor would not have the proper credentials, and hence would be
        denied access, even though it is topologically "inside".'

Sincerely,
alfonso
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: