Firewall Wizards mailing list archives
Re: Access Control, Authentication, and Perimeter Security
From: Alfonso De Gregorio <adg () speedcom it>
Date: Sat, 24 Mar 2001 15:56:59 +0100
On Wed, Mar 21, 2001 at 01:54:39PM -0600, Smith Gary-GSMITH1 wrote: Hi,
* How access control and authentication can (and must) supersede perimeter security designs
Agreed.
This seems extremely daft-brained to me. Access control and authentication ARE part of perimeter security. Getting around perimeter security for access control and authentication sounds like building The Great Wall of China and putting in revolving doors as an afterthought. Or a direct connection between a DMZ and the internal company net.
It's difficult for modern firewalls to perform filtering based on network topology consideration, since: - the traditional notion of security perimeter is not still valid (insiders should not be still trusted); - it has become trivial for anyone to establish a new, unauthorized entry point to the network without the administrator's knowledge and consent (eg. through tunnels, wireless and dial-up access methods); - etc. etc. Probably, in this context it's preferable to use distributed firewalls, where security policy is defined centrally but enforced at each individual network endpoint. For mor information, please see: "Implementing a Distributed Firewall", by S. Ioannidis, A. D. Keromytis, Steve M. Bellovin, J. M. Smith, CCS 2000, Athens, Greece 'Rather than relaying on the topological notion of "inside" and "outside", as it is done in traditional firewalls, a distributed firewall assigns certain rights to whichever machine own the private keys corresponding to certain public keys. Thus, the right to connect to the http port on a company's internal Web server might begranted to those machines having a certicate name of the form *.goodfolks.org, rather than those machines that happen to be connected to an internal wire. A laptop directly connected to the Internet has the same level of protection as does a desktop in the organization's facility. Conversely, a laptop connected to the corporate net by a visitor would not have the proper credentials, and hence would be denied access, even though it is topologically "inside".' Sincerely, alfonso _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Access Control, Authentication, and Perimeter Security Smith Gary-GSMITH1 (Mar 22)
- Re: Access Control, Authentication, and Perimeter Security Alfonso De Gregorio (Mar 26)
- <Possible follow-ups>
- Re: Access Control, Authentication, and Perimeter Security Paul McNabb (Mar 27)