[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC == end of firewalls




While IP level security & authentication will go a long way to help 
prevent abuses and reduce unauthorized accesses, I doubt if it will
provide enough protection by itself.  While I would love to be proven 
wrong, I believe firewalls are here to stay (at least for the next 
year or two).  A couple of reasons why:

o Node Spoofing will probably still be possible
o The connections will probably also be subject to man-in-the-middle attacks
   (Never underestimate the creativity of people who want to compromise your
   networks)
o Authentication by itself will *not* provide adequate protection against 
   many abuses
o End-to-end encryption by itself won't completely solve the problems either
   (however, it *does* go a long way to prevent man-in-the-middle attacks 
o While IP security & authentication helps to secure the pipe between the 
   two systems which want to communicate with each other, it does not provide
   any security about the applications running over the pipe.  

   (ie - if you and I have a secure pipe between your system and mine & you
have 
   a worm running loose on your network, the only thing the secure pipe will do 
   is ensure that other systems (not in the pipe) won't be damaged as the worm
   propagates out of your network into mine).

   Also.  Which version of sendmail are we up to now?


As far as the future of firewalls goes, I would probably guess that the 
functionality of most firewalls would eventually be an add-on application 
option for Operating Systems and that eventually it will be a standard 
part of every Operating System.  Until then, we have to punt & keep using 
firewalls.  

I suspect even when firewalls are embedded in the O/S, that some type of 
firewall will still be needed to quasi-isolate a company's network from 
the Internet (and establish them as one entity) and to contain potential
networking problems which arise when someone configures their system with 
the wrong IP address (or other type of problem).

IMHO, the first company to include a firewall as a standard part of their
Operating Systems has a real good shot at increasing their market share.  
Perhaps the O/S vendors are paying attention to this list & will implement
this (would be nice).  8^)  Of course, it would also help, if their systems 
were delivered secure - out-of-the-box and we didn't have to spend so much 
time continually locking them down & keeping up with the latest CERT Advisories.
8^)  8^)

Best Regards,


Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800   - http://www.fortified.com/fortified/

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.