Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: DISA eliminating firewalls (Bennett Todd)
2. Re: DISA eliminating firewalls (Tim Harris)
3. Re: DISA eliminating firewalls (Crispin Cowan)
4. Re: DISA eliminating firewalls (Patrick M. Hausen)
----------------------------------------------------------------------
Message: 1
Date: Fri, 5 Jul 2013 11:07:34 -0400
From: Bennett Todd <bet@rahul.net>
Subject: Re: [fw-wiz] DISA eliminating firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<CAA9gXs96EMgK7pV=MDgatzbVUxKDSCOnjFkt4dsozeWKP4jLgg@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Thanks for sharing that provocative article.
I find this peculiarly annoying. It seems to use the noun
Firewall in the belief that there's a definition that everyone agrees
on.
Ever since the argument began between advocates of packet filters and
those who favour application-level proxies, I've been using a
definition, which I'm sure I borrowed from someone else: a system,
deployed at a network traffic choke point, to help implement that
portion of a security policy that can be expressed in terms of traffic
flows.
I'd like to hope that what the author is describing is an effort to
shift security towards the edges of the network, where both the data
and the diversity hang out.
But if the need to attempt to enforce security policy on network
traffic is still present, there's still going to be a need for a
firewall; and if it morphs into a management tool for coordinating all
the vast array of control tools on everything from phones to printers
to network attached storage to routers, I'm not terribly optimistic.
-Bennett
<bet@rahul.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20130705/2c9be32e/attachment-0001.html>
------------------------------
Message: 2
Date: Fri, 5 Jul 2013 09:21:27 -0700
From: Tim Harris <tim@fbnservices.us>
Subject: Re: [fw-wiz] DISA eliminating firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<E8A5605884B22D4BBCD12F82692732585BC0D5D14D@FBN.fbnservices.us>
Content-Type: text/plain; charset="iso-8859-1"
I think it's a mistake to assert that something will never happen. I suspect that firewalls, per se, may disappear but the essential function will stay. The largest function that firewalls perform today is a coarse filtering of traffic. They eliminate the obvious bad traffic as well as traffic that is misdirected. I have no data on the percentage of traffic that never makes it through the firewall but suppose that it means the traffic behind the firewall is reduced by 20%. That reduces my cost because I need less bandwidth and less robust equipment. It also means I save on CPU cycles because that traffic is checked once at the perimeter rather than forcing every device to inspect it. This is why they still do ID checks at the door when entering a bar. On the other hand, you can drive without a license if you are willing to take the chance of getting caught and paying the penalty.
I would argue that the next logical step in firewalls is a meta-firewall. Suppose that I have a large, distributed network with multiple firewalls and routers. I argue that a good firewall software ought to be able to treat that as a single administrative unit. I define a set of rules similarly to what I do now with my single firewall. The meta-firewall should be able to analyze my routing and switch configuration, determine the rule set that is appropriate to each individual device and push that out automatically. That way I don't have to go to each single firewall, define a set of rules, and hope that they are consistent and correct.
The more points of management I have, the greater the opportunity for me to screw it up. By distributing the firewall function (which is what I suspect will really happen at DISA), as described in the article, there is a huge administrative challenge for which I don't think there is a good solution yet.
Respectfully,
Tim Harris
-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Andr? Lima
Sent: Thursday, July 04, 2013 11:27 AM
To: firewall-wizards@listserv.icsalabs.com
Subject: Re: [fw-wiz] DISA eliminating firewalls
Firewalls will never and should never disappear.
The reason is that multi-layer security systems are the best one can apply for any network. And by definition it means that one layer (e.g.
firewall) will obviously not be enough, but nevertheless it is an essential part or the security system. And the reason I believe it won't disappear is that it gives us all some assurance. Just as the door in my house. If a great professional burgler wants to get something from our homes, the door will obviously not stop him. But that doesn't mean I'm willing to give up my door and just be in an open door home, because it does help in some situations (tipical strangers, or unwanted kids). I don't want to be inside and be worried that a drifting stranger might get inside and sleep in my bed while I'm away just because there was nothing to stop him.
But if you're just implying that such system can be implemented, indeed that's possible. But that would be an end-to-end security system which is a nightmare to maintain. A firewall is centralized and even though we all know it's not enough to mitigate all attacks, it does give me some basic assurances so I don't have to be (extremely?) paranoid inside my own network.
Best regards,
Andr? Lima
http://www.andr3l1ma.net/
------------------------------
Message: 3
Date: Fri, 5 Jul 2013 19:03:36 +0000
From: Crispin Cowan <crispin@crispincowan.com>
Subject: Re: [fw-wiz] DISA eliminating firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <BLU404-EAS307B5E9A0D5AF61F0A13F0DC17D0@phx.gbl>
Content-Type: text/plain; charset="utf-8"
Firewalls are virtually guaranteed to disappear. The writing was on the wall the first time ?crunchy outside, gooey middle? was uttered. Smart phones and tablets dig the hole deeper, and BYOD is the nail in the coffin.
You cannot protect your networks in a world full of smart phones and tablets, owned by consumers, which must be allowed to connect to the network. The only thing you can do at that point is to stop trusting the network, and instead trust individual nodes, and use encrypted channels (IPsec, SSL, whatever) between nodes that trust each other.
When this will happen is far less clear, and it may be that DISA is a bit premature here. But this is coming, get used to it.
Sent from Windows Mail
From: Tim Harris
Sent: ?Friday?, ?July? ?5?, ?2013 ?10?:?26? ?AM
To: Firewall Wizards Security Mailing List
I think it's a mistake to assert that something will never happen. I suspect that firewalls, per se, may disappear but the essential function will stay. The largest function that firewalls perform today is a coarse filtering of traffic. They eliminate the obvious bad traffic as well as traffic that is misdirected. I have no data on the percentage of traffic that never makes it through the firewall but suppose that it means the traffic behind the firewall is reduced by 20%. That reduces my cost because I need less bandwidth and less robust equipment. It also means I save on CPU cycles because that traffic is checked once at the perimeter rather than forcing every device to inspect it. This is why they still do ID checks at the door when entering a bar. On the other hand, you can drive without a license if you are willing to take the chance of getting caught and paying the penalty.
I would argue that the next logical step in firewalls is a meta-firewall. Suppose that I have a large, distributed network with multiple firewalls and routers. I argue that a good firewall software ought to be able to treat that as a single administrative unit. I define a set of rules similarly to what I do now with my single firewall. The meta-firewall should be able to analyze my routing and switch configuration, determine the rule set that is appropriate to each individual device and push that out automatically. That way I don't have to go to each single firewall, define a set of rules, and hope that they are consistent and correct.
The more points of management I have, the greater the opportunity for me to screw it up. By distributing the firewall function (which is what I suspect will really happen at DISA), as described in the article, there is a huge administrative challenge for which I don't think there is a good solution yet.
Respectfully,
Tim Harris
-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Andr? Lima
Sent: Thursday, July 04, 2013 11:27 AM
To: firewall-wizards@listserv.icsalabs.com
Subject: Re: [fw-wiz] DISA eliminating firewalls
Firewalls will never and should never disappear.
The reason is that multi-layer security systems are the best one can apply for any network. And by definition it means that one layer (e.g.
firewall) will obviously not be enough, but nevertheless it is an essential part or the security system. And the reason I believe it won't disappear is that it gives us all some assurance. Just as the door in my house. If a great professional burgler wants to get something from our homes, the door will obviously not stop him. But that doesn't mean I'm willing to give up my door and just be in an open door home, because it does help in some situations (tipical strangers, or unwanted kids). I don't want to be inside and be worried that a drifting stranger might get inside and sleep in my bed while I'm away just because there was nothing to stop him.
But if you're just implying that such system can be implemented, indeed that's possible. But that would be an end-to-end security system which is a nightmare to maintain. A firewall is centralized and even though we all know it's not enough to mitigate all attacks, it does give me some basic assurances so I don't have to be (extremely?) paranoid inside my own network.
Best regards,
Andr? Lima
http://www.andr3l1ma.net/
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20130705/884feb9f/attachment-0001.html>
------------------------------
Message: 4
Date: Fri, 5 Jul 2013 22:38:14 +0200
From: "Patrick M. Hausen" <hausen@punkt.de>
Subject: Re: [fw-wiz] DISA eliminating firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <D9FCB991-047F-4B25-9BE9-0445CEA3BFE4@punkt.de>
Content-Type: text/plain; charset=windows-1252
Hi, Wizards,
Am 05.07.2013 um 18:21 schrieb Tim Harris <tim@fbnservices.us>:
> I would argue that the next logical step in firewalls is a meta-firewall.
> Suppose that I have a large, distributed network with multiple firewalls and routers.
> I argue that a good firewall software ought to be able to treat that as a single administrative unit.
> ?
In fact products like this have been around for quite a while.
I don't quite remember if NAI had a central management/policy tool for the
Gauntlet firewalls but I guess they did.
At least Secure Computing had it in 2003 for the then
announced Sidewinder G2 (partly Sidewinder, partly Gauntlet).
Cyberguard, acquired by Secure Computing in 2005, already had it before
2005.
Current McAfee product:
http://www.mcafee.com/us/resources/data-sheets/ds-firewall-management.pdf
Heck, Cisco has got it for ASA:
http://www.cisco.com/en/US/products/ps6498/index.html
Kind regards,
Patrick
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de http://www.punkt.de
Gf: J?rgen Egeling AG Mannheim 108285
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 66, Issue 3
***********************************************
No comments:
Post a Comment