|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] This just in: Firewalls are obsolete
From: Daniele Muscetta (muscetta
gmail.com)
Date: Tue Jul 12 2005 - 03:35:22 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 7/12/05, Gadi Evron <gelinuxbox.org> wrote:
> Jonatan B wrote:
> > Please use the brand new "ACL Technology" instead.
> >
> >>From the article:
> > "... By defining simple ACLs, we further isolate our backend servers."
> >
> > http://www.securitypipeline.com/shared/article/printablePipelineArticle.jhtml?articleId=165700439
>
> Ignoring this (not you) for a minute, there is some serious research
> done in the UK in the Jericho group which is called "deperimeterization".
>
> Basically, they say, and I am probably mis-representing their ideas,
> that we have been poking holes in the "so-called" perimeter for years now.
> [...]
> If you can bring every (erm, every?!) machine in your network to where
> it is secure enough to be on the Internet, on its own.. then why do you
> still need a perimeter? According to them the only reason to still keep
> one would be management related.
>
> I personally find the entire idea absurd and ridiculous. However, I know
> some of the people involved and they are extremely serious and smart
> people. They invested a lot of thinking into this so I must not be
> getting the big picture.
> I may find this ridiculous, but I am far from vain enough to dismiss
> some of these people and their work so readily.. I must simply not be
> getting it.
There are a lot of people who agree with this, and a lot of people who disagree.
The Jericho Group idea of "deperimeterization" was presented by Paul
Simmonds at BlackHat Europe 2004 as a keynote, and I found it very
interesting.
I wrote about that on http://www.itvc.net/blackhat04/19.asp (in Italian).
Steve Riley has spoken about a similar concept, with different
wording: "the death of the DMZ".
Recently also Marcus Ranum was interviewed on SecurityFocus and was
asked about this.
Anyway, this is the kind of subject that is very suited for LONG
threads... with alternate mails from the two parties: those who agree
and those who don't.
Just to mention what *I* think about, I recently blogged about my
opinion on http://www.muscetta.com/b2.php?p=47&c=1 (there are also the
links to both Ranum's interview and Riley's speech)
Best to all,
Daniele
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]