Re: IPSEC == end of firewalls
At 10:30 AM 1/23/96 -0500, perry@piermont.com allegedly wrote:
Frank Willoughby writes:
While IP level security & authentication will go a long way to help prevent abuses and reduce unauthorized accesses, I doubt if it will provide enough protection by itself.
I agree with this, but...
o Node Spoofing will probably still be possible
Nope. It won't.
I disagree. I haven't met a system that couldn't somehow be gotten around. The creativity of hackers is succeeded only by their motivation and ability to put many hours into trying to solve a problem. Including the word "probably" was deliberate. Kerberos was also thought to be secure - 'til it was compromised. Software isn't bug-free & design or security methodologies can't provide 100% coverage. Hackers take advantage of this and inherent weaknesses in design flaws.
o The connections will probably also be subject to man-in-the-middle attacks (Never underestimate the creativity of people who want to compromise your networks)
No, they won't be subject to such attacks any longer.
Answer is the same as the above paragraph. I try not to use the word "can't" or "won't" when possible. Granted "probably" sounds wishy-washy, but it is frequently accurate.
The real problem, as you noted, is that our applications aren't very secure.
I suspect even when firewalls are embedded in the O/S,
That would be somewhat meaningless. The point of a firewall, as others here have noted, is that it is easier to secure one machine than five hundred or ten thousand.
I disagree here also. Systems by themselves are fairly useless. Their power (and main vulnerability) comes from their ability to network with other systems. A system connected to a network is vulnerable. The fact that a corporate firewall protects the system from the Internet in no way decreases the vulnerability of that system (and other systems) from *internal* attacks which can be as devastating as an Internet attack. Including firewall capabilities as part of the Operating System's network applications would help the system protect itself from abuses from the Internet - as well as from internal.
IMHO, the first company to include a firewall as a standard part of their Operating Systems has a real good shot at increasing their market share.
Again, somewhat meaningless, as a real firewall involves defense in depth (screening routers, a bastion proxy host, etc) and is more of a configuration issue than an O.S. issue.
In the current context yes. However, a firewall is only solving one part of the problem. Just as Information Security must be integrated into every layer of a company (from users->system managers->managers-> executives), it must also be incorporated into each part in a network (systems, LANs, external connections).
Perry
Best Regards, Frank Fortified Networks Inc. - Management & Information Security Consulting Phone: (317) 573-0800 - http://www.fortified.com/fortified/ <standard disclaimer> The opinions expressed above are of the author and may not necessarily be representative of Fortified Networks Inc.
On Tue, 23 Jan 1996, Frank Willoughby wrote:
At 10:30 AM 1/23/96 -0500, perry@piermont.com allegedly wrote:
Frank Willoughby writes:
While IP level security & authentication will go a long way to help prevent abuses and reduce unauthorized accesses, I doubt if it will provide enough protection by itself.
I agree with this, but...
o Node Spoofing will probably still be possible
Nope. It won't.
I disagree. I haven't met a system that couldn't somehow be gotten around. The creativity of hackers is succeeded only by their motivation and ability to put many hours into trying to solve a problem. Including the word "probably" was deliberate. Kerberos was also thought to be secure - 'til it was compromised. Software isn't bug-free & design or security methodologies can't provide 100% coverage. Hackers take advantage of this and inherent weaknesses in design flaws.
Clearly. I keep hearing references to weaknesses in kerberos, which I more or less rely on. What are the problems I should be worrying about? Preferably as URLs. Also, we have a new kerberos implementation for Macs that we're going to roll out soon. I'll see if the project manager would be willing to let other people take a look at it. -rich
Frank Willoughby writes:
At 10:30 AM 1/23/96 -0500, perry@piermont.com allegedly wrote:
Frank Willoughby writes:
While IP level security & authentication will go a long way to help prevent abuses and reduce unauthorized accesses, I doubt if it will provide enough protection by itself.
I agree with this, but...
o Node Spoofing will probably still be possible
Nope. It won't.
I disagree. I haven't met a system that couldn't somehow be gotten around.
Yes, certainly. You can bribe someone, get physical access to machines, etc. However, unless you know a way to crack RSA, it is unlikely that a system using Photuris+IPsec will permit IP spoofing.
The creativity of hackers is succeeded only by their motivation and ability to put many hours into trying to solve a problem. Including the word "probably" was deliberate. Kerberos was also thought to be secure - 'til it was compromised.
Kerberos was compromised? When? By whom? Are you talking about Bellovin's paper on weaknesses in Kerberos (most of which are avoidable or fixed in K5), or are you talking about a real break? If the latter, its the first that I've heard of it.
I suspect even when firewalls are embedded in the O/S,
That would be somewhat meaningless. The point of a firewall, as others here have noted, is that it is easier to secure one machine than five hundred or ten thousand.
I disagree here also. Systems by themselves are fairly useless. Their power (and main vulnerability) comes from their ability to network with other systems. A system connected to a network is vulnerable. The fact that a corporate firewall protects the system from the Internet in no way decreases the vulnerability of that system (and other systems) from *internal* attacks which can be as devastating as an Internet attack.
Including firewall capabilities as part of the Operating System's network applications would help the system protect itself from abuses from the Internet - as well as from internal.
These last two paragraphs are gibberish. You can't "firewall" every machine -- the act is meaningless. A Firewall is a filter designed to protect you from bugs in the setup or implementation of the software on the machines on the inside. What would it mean for a machine to have "firewall software" in the operating system? Systems already attempt to prevent unauthorized access -- the reason you have firewalls is because that software is sometimes buggy. "Firewall software" in the OS is a meaningless concept. Perry
participants (3)
-
Frank Willoughby -
Perry E. Metzger -
Rich Graves