[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC == end of firewalls

To: [email protected], [email protected], [email protected]
Subject: Re: IPSEC == end of firewalls
From: David Mazieres <[email protected]>
Date: Tue, 23 Jan 1996 14:39:22 -0500
In-Reply-To: "Perry E. Metzger"'s message of Tue, 23 Jan 1996 10:30:02 -0500
References: <[email protected]><[email protected]>
Sender: [email protected]

I once worked for a company where to get an outbound telnet connection
or to put a file with ftp, you needed to go through a gateway which
required us to use a hardware device to participate in a
challenge/response authentication scheme.

While this may be extreme, it points out a use of firewalls people
seem to be ignoring in this descussion:  enforcing policy.  Most
employees will have physical access to the network, and physical
access (=root privileges) to their workstations.  If you want to
enforce a policy of "no http servers, ftp servers, or anything else",
you can't allow any incoming Syn packets.  If you don't want to trust
every single person to configure his/her workstation to reject Syn
packets from outside, you need to do the filtering where most people
can't bypass it.

Now replace Syn above with whatever TCP/IPv6 uses, and the same will
hold.

That said, I hate firewalls.  I find being behind a firewall
incredibly painful.  I hope firewalls do die with IPv6.

David

References:
- Re: IPSEC == end of firewalls
  - From: Frank Willoughby <[email protected]>
- Re: IPSEC == end of firewalls
  - From: "Perry E. Metzger" <[email protected]>

Prev by Date: re: [local] Report on Portland Cpunks meeting
Next by Date: Re: IPSEC == end of firewalls
Prev by thread: Re: IPSEC == end of firewalls
Next by thread: Re: IPSEC == end of firewalls
Index(es):
- Date
- Thread