|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] This just in: Firewalls are obsolete
From: Gadi Evron (ge
linuxbox.org)
Date: Mon Jul 11 2005 - 18:19:00 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jonatan B wrote:
> Please use the brand new "ACL Technology" instead.
>
>>From the article:
> "... By defining simple ACLs, we further isolate our backend servers."
>
> http://www.securitypipeline.com/shared/article/printablePipelineArticle.jhtml?articleId=165700439
Ignoring this (not you) for a minute, there is some serious research
done in the UK in the Jericho group which is called "deperimeterization".
Basically, they say, and I am probably mis-representing their ideas,
that we have been poking holes in the "so-called" perimeter for years now.
First with needed ports for services (80, 21, 25, etc.).
Then (again, according to them) when almost everyone moved to Microsoft
they were forced to run a flat network.. blocks in our networks simply
couldn't work anymore. One example I heard was: Try for example to run
active directory, a domain etc. Each require dozens of ports open. What
you end up with is a swiss cheese.
Further, they say that if you spend the effort of securing laptops which
will be used both on the Internet and on your organizational network,
and determine that that is enough, why not do the same for the rest of
your network?
If you can bring every (erm, every?!) machine in your network to where
it is secure enough to be on the Internet, on its own.. then why do you
still need a perimeter? According to them the only reason to still keep
one would be management related.
I personally find the entire idea absurd and ridiculous. However, I know
some of the people involved and they are extremely serious and smart
people. They invested a lot of thinking into this so I must not be
getting the big picture.
I may find this ridiculous, but I am far from vain enough to dismiss
some of these people and their work so readily.. I must simply not be
getting it.
My point is, however, that there is some research done in this area..
not directly related to your article, which may be of interest.
There are many ways of doing security, some of which may be wrong but
others might simply not fit your philosophy.
I know some people who would fight to secure every bit and byte. Others
who would indeed create a perimeter and declare everything inside
trusted, etc. Non of these ways of thinking are wrong.. some might just
fit you better than others for whatever specific task you have at hand.
However, getting back to this article, saying that we don't need
Firewalls because we can use ACL's... is one of the silliest statements
I ever heard. It's pretty much like saying.. "hey, we don't need a
picket-fence, we can use a wooden-fence."
Another issue I'd like to address about this article is that the guy
actually got something that I'd agree on. Network blocks are a pain.
I never give up on placing different segments of the network in separate
environments, closing them from each other. Still, that is a major
productivity problem, and the solutions are not always simple.
Gadi.
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]