[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.)

To: [email protected] (Nelson Minar)
Subject: Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.)
From: Adam Shostack <[email protected]>
Date: Mon, 22 Jan 1996 21:38:12 -0500 (EST)
Cc: [email protected]
In-Reply-To: <[email protected]> from "Nelson Minar" at Jan 22, 96 06:59:51 pm
Sender: [email protected]

IPsec will not change the role of firewalls.  It will change some
technical details about them.

Firewalls do a couple of things:

	Enforce a policy boundary between us & them.  Reduce the
number of systems to be 'well secured' (This is because really
securing a machine is tough, and often involves sacrifices of
useability.) Provide job security/ass covering (see also, satisfy
auditors.)

	The fact that some traffic passing through is encrypted will
not change any of this.  Only allowing traffic to people who provide a
signature is only useful for some things.  Besides, there will always
be shitty protocols, like NFS, yp, SMTP, etc that need a firewall to
protect them.  Legacy systems are with us forever.  (I was in a
meeting last Thursday where we discussed how to handle a Sun3 that
needs to be a router in a CIDR environment.  No option to upgrade this
box for complex reasons.  I bring it up to illustrate the persistance
of legacy systems.)

Nelson Minar wrote:
| [email protected] (Robert Hettinga) writes:
| [interesting article about the future, which includes..]
| 
| >The reason we won't need LANs is because the only real difference between a
| >LAN and the internet is a firewall for security, and the need for clients
| >to speak Novell's TCP/IP-incompatible proprietary network protocol.  With
| >internet-level encryption protocols like the IETF IPSEC standard, you won't
| >even need a firewall anymore.  The only people who can establish a server
| >session with *any* machine connected to the net will be those issuing the
| >digital signatures authorized to access that machine, no matter where those
| >people are physically. When that happens, networks will need to be as
| >public as possible, which means, of course, TCP/IP, and not Netware.
| 
| I'm all for the end of ridiculous non-TCP/IP protocols, but does
| anyone believe this point about encrypted IP traffic eliminating the
| need for firewalls?
-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

References:
- IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.)
  - From: Nelson Minar <[email protected]>

Prev by Date: IBM knuckles under
Next by Date: NOISE.SYS Stupid Bugs w/Int13h
Prev by thread: Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path Dependency, IPSEC, Cyberdog, and the Melting of Mr.)
Next by thread: Re: IPSEC == end of firewalls (was Re: (fwd) e$: PBS NewsHour, Path , Dependency, IPSEC, Cyberdog, and the Melting of Mr.)
Index(es):
- Date
- Thread