At 10:30 AM 1/23/96 -0500, perry@piermont.com allegedly wrote:
Frank Willoughby writes:
While IP level security & authentication will go a long way to help prevent abuses and reduce unauthorized accesses, I doubt if it will provide enough protection by itself.
I agree with this, but...
o Node Spoofing will probably still be possible
Nope. It won't.
I disagree. I haven't met a system that couldn't somehow be gotten around. The creativity of hackers is succeeded only by their motivation and ability to put many hours into trying to solve a problem. Including the word "probably" was deliberate. Kerberos was also thought to be secure - 'til it was compromised. Software isn't bug-free & design or security methodologies can't provide 100% coverage. Hackers take advantage of this and inherent weaknesses in design flaws.
o The connections will probably also be subject to man-in-the-middle attacks (Never underestimate the creativity of people who want to compromise your networks)
No, they won't be subject to such attacks any longer.
Answer is the same as the above paragraph. I try not to use the word "can't" or "won't" when possible. Granted "probably" sounds wishy-washy, but it is frequently accurate.
The real problem, as you noted, is that our applications aren't very secure.
I suspect even when firewalls are embedded in the O/S,
That would be somewhat meaningless. The point of a firewall, as others here have noted, is that it is easier to secure one machine than five hundred or ten thousand.
I disagree here also. Systems by themselves are fairly useless. Their power (and main vulnerability) comes from their ability to network with other systems. A system connected to a network is vulnerable. The fact that a corporate firewall protects the system from the Internet in no way decreases the vulnerability of that system (and other systems) from *internal* attacks which can be as devastating as an Internet attack. Including firewall capabilities as part of the Operating System's network applications would help the system protect itself from abuses from the Internet - as well as from internal.
IMHO, the first company to include a firewall as a standard part of their Operating Systems has a real good shot at increasing their market share.
Again, somewhat meaningless, as a real firewall involves defense in depth (screening routers, a bastion proxy host, etc) and is more of a configuration issue than an O.S. issue.
In the current context yes. However, a firewall is only solving one part of the problem. Just as Information Security must be integrated into every layer of a company (from users->system managers->managers-> executives), it must also be incorporated into each part in a network (systems, LANs, external connections).
Perry
Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ <standard disclaimer> The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc.