Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Middleboxes can only do the middle work

From: Dave Piscitello <dave () corecom com>
Date: Tue, 01 Apr 2008 14:44:51 -0400
Several recent threads call attention to the elephant in the conference room no one talks about.
Firewalls are middleboxes (some RFC that says this so I'm certain it is true). They are one element in a line of defense, and from an attacker's viewpoint, one line of defense that has to be breached (for some set of attacks). Even the stone stupid attackers spend few cycles breaching firewalls today because it is much easier to go after code that is written by folks with little security clue, using grossly generous language constructs, with amazingly few access controls enforced on the hosting computer. Paul Melson's "epic fail from the beginning" and Marcus' "bad ideas happening fast" are spot on.
This doesn't mean firewalls are obsolete, but it does (finally) provide ample evidence for even the most obdurate network designers that "the perimeter will save us" is seriously overtaken by events. This is a good thing: and after only two decades, we are actually turning our attention to considering remedies closer to communications endpoints.
The problem we still face is one of addiction. The historical comfort and debatable success that perimeter enforcement solutions provided created "a box in the middle will cure our application woes" mentality that persists today. What we really get each time we substitute a middlebox for secure programming and secure OS (implementation and configuration) is symptomatic relief, not cure.
The security industry is eager to build middleboxes that don't quite cure the woes but narcotize users sufficiently that they are happy to buy expensive boxes, flog configurations, study traffic logs, buy more boxes, flog configurations... Feed the addiction. As long as users are buying the drugs and doping themselves senseless so they can ignore the root causes at the endpoints, we shouldn't anticipate that things will improve dramatically.

Attachment: dave.vcf
Description: 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: