At 10:55 AM 1/23/96 -0500, Ben <adept@minerva.cis.yale.edu> wrote:
functionality of most firewalls would eventually be an add-on application option for Operating Systems and that eventually it will be a standard part of every Operating System. Until then, we have to punt & keep using firewalls.
I'm not so convinced that adding 'firewall functionality' to an OS is such a good idea. The idea behind having a firewall is that * You have a hardened host that has been stripped of anything that could be used by an attacker to compromise other systems * You have a single machine that serves as the sole port of entry into your domain. By keeping your defense perimeter nice and small it makes it manageable to maintain.
I agree with your statements above about firewalls and wholeheartedly agree that a firewall needs these characteristics (among others) to remain relatively secure. However, I am I'm not saying that adding firewalling capabilities would make the system invincible. I *am* saying that it would provide the system with more security than it currently has and would help to reduce (not eliminate) some risks associated with networking. Of course, it would be terrific if the vendors would produce Operating Systems which are secure AND usable. (I think the market will eventually demand this from vendors, but this probably won't happen in the next year or two.)
When you start trying to switch firewall functionality to an OS you lose both these advantages. You no longer have a system that is stripped of compilers, scripting languages, etc, and you now have a much larger security perimeter.
Agreed - to a point. The idea is to provide the systems with increased defensive capabilities - lowering potential risks. (See above paragraph) FWIW, I feel rather uncomfortable continuing this thread in the cypherpunks mailing list when the subject at hand deals more with firewalls than it does with cryptography. I would prefer to continue this discussion in the firewalls mailing list (of which I am a fairly regular participant). If you would like to subscribe to the firewalls mailing list, send a mail to: majordomo@GreatCircle.com (leaving the subject line blank) and in the body of the message put: subscribe firewalls "your_email_address" (omitting the quotes). See you there.
Ben. ____ Ben Samman..............................................samman@cs.yale.edu "If what Proust says is true, that happiness is the absence of fever, then I will never know happiness. For I am possessed by a fever for knowledge, experience, and creation." -Anais Nin PGP Encrypted Mail Welcomed Finger samman@suned.cs.yale.edu for key Want to hire a soon-to-be college grad? Mail me for resume
Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ For a free downloadable Internet Firewalls Checklist, please see our home page. <standard disclaimer> The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc.