RE: The Death Of A Firewall

["Joe" <gijoe () vinylflesh com>]

Well the article says they are "close to achieving that goal" so perhaps
they realized you still need a firewall at perimeter points to public
networks to reduce network "noise" from impacting their internal network
service
levels (SLAs) and have those internal switches see the pounding. :)

But what Mr Berman has accomplished as what I believe to be the endgame and
what we are doing today
with network security architecture as fanatical on networks when the threat
profile as so focused above
it.

I believe the endgame will have the network become a utility you buy like
electricity. Clients will be connected to
this utility (wired or wireless.) This utility would be a complete
convergence of internal building connectivity directly connected to the
Internet. Your service level for this utility will have the utility company
guarantee availability and low latency but not security. If you think about
it for the utility company to meet the SLA the will have to run software to
block network noise like DDoS, port scans, etc from the portal point to the
Internet.

Server farms will be the last bastion (no pun intended) of small networks
with application layer firewalls front-ending them. Of course from a form
factor perspective the server farm may reduce to a piece of heavy iron full
of virtualization.

Clients should be commodotized multimedia systems that are kiosks to
applications that serve
data managed by document management/entitlement systems. This way when data
is requested, copies of the data
sent to clients is "watermarked" with who/what/where/when the data is
accessed by. There
will always be data leakage of some form. Document management/entitlement
systems integration with
watermarking at least helps you track it and plug it.

Given we already have it that people use their PDA/phone for both business
and personal it
is unrealistic to be able to limit the use of the client to specific
applications. All you
can do is secure it from infection. Of course proactive people would have
their clients run
various "Anti-badstuff" software with automatic updates. Other people will
wait to their
client connects to an application (personal banking or work portal) that
scans the client.
Those clients with "good hygiene" have access. Those who do not are warned
and given
options to clean their mess. Don't read the current NAC amd NAD solutions
from Cisco and
Microsoft respectively on this. I am thinking more of a solution like
WholeSecurity.

I am not presenting the endgame as a utopia, just as what appears to me to
be a logical progression
of things to come. The threat profile in the application space will just get
very ugly. My imagination
comes up with rogue EJBs on Java Application Servers.

Like electricity, as a utility all the network will need to be is highly
available and clean from
line noise and other interference.

Am I thinking heresy ?

- Joe



========================
Subject: RE: [fw-wiz] The Death Of A Firewall
Date: Thu, 27 Oct 2005 16:31:21 -0400
From: <hugh_fraser () dofasco ca>
To: <firewall-wizards () honor icsalabs com>

There's a lot in the article that's left to speculation. I admire their
internal network design; multiple security zones with clearly-defined
services separated by application-layer firewalls, network ACLs to control
traffic flows. Being able to accurately profile traffic traversing the
network allows strict firewall rules and network ACLs, and greatly enhances
the IDS or IPS ability to identify bogus traffic.
He's also got an compartmentalized network that may allow him to contain a
virus or worm, preventing, for instance, a workstation infected with a virus
from spreading it to the core business servers.

It's not clear what he's done with the clients. They're running a hardened
OS, with the latest AV and presumably a firewall. He hasn't said they've got
cart-blanche to run anything they want; perhaps the clients are locked down
to a selection of approved apps, but they have broader selection than most
of us would. With all the effort they've put in to the rest of their
network, I have to assume that they've recognized the threats from the
workstation and have instrumented and profiled them as well as they have
elsewhere.

Unfortunately, this isn't usually the case. It's the exceptions that get
you. The users with extra rights that turn off the firewall, the admin
people who've opened up some extra inbound ports in their firewall to allow
a "special" app to work, the machines that for some reason didn't get the
latest AV signature.

And I can just imagine the complaints from our network group as their
switches (which we rely on for traffic flow management, not security) start
to see some of the pounding our perimeter firewall receives.

So it's tough to understand why, with all the effort they've put in to
hardening the interior, he would resist adding the incremental cost of one
more firewall to protect the perimeter and potentially have the best of all
worlds (a crunchy exterior and interior), unless it's really is for "Taking
that crutch away has forced us to rethink our security model".

I'd be inclined to find another way to sell that lesson.

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Pedski
Sent: Monday, October 17, 2005 9:30 PM
To: James Paterson
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] The Death Of A Firewall


James Paterson wrote:

> http://www.securitypipeline.com/165700439
>
> Be interesting to get the communities take on this article.




-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.12.8/163 - Release Date: 11/8/2005
 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards