[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC == end of firewalls



At 01:40 PM 1/23/96 -0800, Simon Spero allegedly wrote:

>This thread definitely belongs as cypherpunks, as the whole point of the 
>discussion is to debate the limits of what cryptography on its own can 
>achieve. 
>

Back, by popular demand...

I didn't really want to continue this discussion here, but I received 
a couple mails requesting that I continue in this thread.  I'm still 
uncomfortable with this, but I'll oblige.


>What do you need as well as crypto before you can remove all firewalls?

I don't think this will ever happen.  However, as long as we're dreaming, 
here's my 2 cents worth on a good start for a secure environment would 
look like.  It's not complete by any stretch of an imagination, but it's 
a start:


o Start with a Secure Operating System - Secure Computing's firewall is a good 
   example of this.  They have done some pretty neat things with Type
Enforcement.

o Add in some decent authentication/encryption/verification mechanisms/digital 
   sigs, etc V-ONE's SmartGate, Fortezza, & Persona would do nicely.  Hand-held 
   token devices such as the ones mentioned above should work well.  Of course,
   the user interface to these should be user-friendly.

o Throw in a secure method of communication PGP, PGPphone, etc - which is
   *user-friendly* and which helps automate & manage the key-distribution 
   process (securely, of course)

o Mix in applications which have been re-written to be secure, fast, intuitive,
   user-friendly & interact well with encryption (various kinds).

o Add in a central clearinghouse (don't care where) where the latest key 
   expirations/compromises can be checked automatically to confirm that 
   the e-mail you just received is still valid also wouldn't hurt.

o Combine the best capabilities of Checkpoint's (firewall) lower-level 
   filtering capabilities with V-0NE's upper-level filtering capabilities
   and add these to the secure Operating System's network defense mechanisms

o Add a good dose of IPsec (sprinkling lightly) to secure the pipe
   (kindly omitting the Watergate plumbers)

o Add user-friendly single sign-on capability (Kerberos, et al)

o Mix in heavy encryption with (ridiculously long) keys   (say the number of 
   grains of sand stretched end-to-end to make a light year).  8^)

o Make all of the above user-friendly & easy-to-implement on a large scale  8^)

Throw the ingredients into a pot & stir briskly.


Like I said earlier, it's just a start & not a whole solution by any 
stretch of the imagination.  It's probably a nice wish list, though.  
It'd sure be nice if it came true.  (If you think the above list is 
optimistic, you ought to see my Christmas Wish List).  8^)  8^)  8^)



>
>Simon
>
>(defun modexpt (x y n)  "computes (x^y) mod n"
>  (cond ((= y 0) 1) 	((= y 1) (mod x n))
>	((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n))
>	(t (mod (* x (modexpt x (1- y) n)) n))))

Best Regards,


Frank
Fortified Networks Inc. - Management & Information Security Consulting
Phone: (317) 573-0800   - http://www.fortified.com/fortified/

<standard disclaimer>
The opinions expressed above are of the author and may not 
necessarily be representative of Fortified Networks Inc.