nanog mailing list archives
Re: Input requested for second edition of "Firewalls and Internet Security"
From: Valdis.Kletnieks () vt edu
Date: Mon, 21 Oct 2002 00:38:49 -0400
On Sun, 20 Oct 2002 17:13:54 EDT, Sean Donelan <sean () donelan com> said:
The problem is the complexity level of trying to maintain those perimeters, DMZs and firewalls is increasing. Massive firewall complexes with swiss-cheese rules, and huge network perimeters with numerous external access points are very difficult to manage.
They're still popular because *most* sites have only a small number (1 to 5 or so) official entrance points into the net, and can probably hire one or two people with a clue to babysit the firewall units. The perimeter may be difficult to manage, but the interior is, in general, totally out of control.
Although many of the oldest firewall creators have long pointed out the limitations of firewalls, currently practicing security consultants rely mostly on Internet security designs with firewalls, DMZs and defining perimeters. This may be partly because some security consulting firms are also VARs for firewall vendors; but I don't think its that simple.
As I like to say, firewalls are *not* a complete solution by themselves. They need to be addressed as "part of this complete security breakfast". Unfortunately, users are involved, and you end up having to decide if you want to make some toast while the users burn the scrambled eggs, or if you want to say 'screw it' and get an Egg McMuffin on the way to work. ;) Or stated differently - let's say you're a consultant. Which can you sell to the customer more easily - a firewall, or telling them that somebody needs to explain to the VP that 'viceprez' is a Bad Password?
Is the Orange Book really dead?
It's dead as far as providing an actual useful spec, as far as I can tell. It had a number of problems - an actual rating was only for *ONE* specific configuration, and changing it (even by upgrading memory or adding disks) would technically invalidate it. The whole RAMP thing to maintain a rating across a software upgrade was a true horrorshow paperwork-wise, and it didn't addresss network connectivity (although to be fair, there were other Rainbow Books that talked about RAMP and network stuff). It's still useful as a framework reference, mostly due to its ubiquity. /Valdis
Attachment:
_bin
Description:
Current thread:
- Input requested for second edition of "Firewalls and Internet Security" Steve Bellovin (Oct 15)
- <Possible follow-ups>
- Re: Input requested for second edition of "Firewalls and Internet Security" Sean Donelan (Oct 20)
- Re: Input requested for second edition of "Firewalls and Internet Security" Valdis . Kletnieks (Oct 20)
- Re: Input requested for second edition of "Firewalls and Internet Security" Sean Donelan (Oct 21)
- Re: Input requested for second edition of "Firewalls and Internet Security" batz (Oct 21)
- Re: Input requested for second edition of "Firewalls and Internet Security" Valdis . Kletnieks (Oct 20)
- Re: Input requested for second edition of "Firewalls and Internet Security" martin (Oct 21)