Dailydave mailing list archives
Re: This just in: Firewalls are obsolete
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 12 Jul 2005 01:19:00 +0200
Jonatan B wrote:
Please use the brand new "ACL Technology" instead.From the article:"... By defining simple ACLs, we further isolate our backend servers." http://www.securitypipeline.com/shared/article/printablePipelineArticle.jhtml?articleId=165700439
Ignoring this (not you) for a minute, there is some serious research done in the UK in the Jericho group which is called "deperimeterization".
Basically, they say, and I am probably mis-representing their ideas, that we have been poking holes in the "so-called" perimeter for years now.
First with needed ports for services (80, 21, 25, etc.).Then (again, according to them) when almost everyone moved to Microsoft they were forced to run a flat network.. blocks in our networks simply couldn't work anymore. One example I heard was: Try for example to run active directory, a domain etc. Each require dozens of ports open. What you end up with is a swiss cheese.
Further, they say that if you spend the effort of securing laptops which will be used both on the Internet and on your organizational network, and determine that that is enough, why not do the same for the rest of your network?
If you can bring every (erm, every?!) machine in your network to where it is secure enough to be on the Internet, on its own.. then why do you still need a perimeter? According to them the only reason to still keep one would be management related.
I personally find the entire idea absurd and ridiculous. However, I know some of the people involved and they are extremely serious and smart people. They invested a lot of thinking into this so I must not be getting the big picture. I may find this ridiculous, but I am far from vain enough to dismiss some of these people and their work so readily.. I must simply not be getting it.
My point is, however, that there is some research done in this area.. not directly related to your article, which may be of interest. There are many ways of doing security, some of which may be wrong but others might simply not fit your philosophy.
I know some people who would fight to secure every bit and byte. Others who would indeed create a perimeter and declare everything inside trusted, etc. Non of these ways of thinking are wrong.. some might just fit you better than others for whatever specific task you have at hand.
However, getting back to this article, saying that we don't need Firewalls because we can use ACL's... is one of the silliest statements I ever heard. It's pretty much like saying.. "hey, we don't need a picket-fence, we can use a wooden-fence."
Another issue I'd like to address about this article is that the guy actually got something that I'd agree on. Network blocks are a pain. I never give up on placing different segments of the network in separate environments, closing them from each other. Still, that is a major productivity problem, and the solutions are not always simple.
Gadi. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: This just in: Firewalls are obsolete, (continued)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete I)ruid (Jul 12)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete byte_jump (Jul 12)
- Re: This just in: Firewalls are obsolete dan (Jul 12)
- Re: Re: This just in: Firewalls are obsolete Gadi Evron (Jul 13)
- Re: Re: This just in: Firewalls are obsolete plonky (Jul 13)