IPsec will not change the role of firewalls. It will change some technical details about them. Firewalls do a couple of things: Enforce a policy boundary between us & them. Reduce the number of systems to be 'well secured' (This is because really securing a machine is tough, and often involves sacrifices of useability.) Provide job security/ass covering (see also, satisfy auditors.) The fact that some traffic passing through is encrypted will not change any of this. Only allowing traffic to people who provide a signature is only useful for some things. Besides, there will always be shitty protocols, like NFS, yp, SMTP, etc that need a firewall to protect them. Legacy systems are with us forever. (I was in a meeting last Thursday where we discussed how to handle a Sun3 that needs to be a router in a CIDR environment. No option to upgrade this box for complex reasons. I bring it up to illustrate the persistance of legacy systems.) Nelson Minar wrote: | rah@shipwright.com (Robert Hettinga) writes: | [interesting article about the future, which includes..] | | >The reason we won't need LANs is because the only real difference between a | >LAN and the internet is a firewall for security, and the need for clients | >to speak Novell's TCP/IP-incompatible proprietary network protocol. With | >internet-level encryption protocols like the IETF IPSEC standard, you won't | >even need a firewall anymore. The only people who can establish a server | >session with *any* machine connected to the net will be those issuing the | >digital signatures authorized to access that machine, no matter where those | >people are physically. When that happens, networks will need to be as | >public as possible, which means, of course, TCP/IP, and not Netware. | | I'm all for the end of ridiculous non-TCP/IP protocols, but does | anyone believe this point about encrypted IP traffic eliminating the | need for firewalls? -- "It is seldom that liberty of any kind is lost all at once." -Hume