Sean Donelan <sean@donelan.com> schrieb am Sun, 20 Oct 2002 17:13:54 -0400 (EDT):
What are the current thoughts about firewalls and Internet security.
Re. firewalls, i.e. perimeter security: Most of our enterprise customers have problems defining what their perimeter actually is. Some of them do not have a perimeter any more, in the classical physical sense; wireless applications - not just WLAN, but also the fact that everybody here has a mobile phone and thus a potential 64k+ connection out of the soft core - have made perimeter a very fuzzy concept. Thus, perimeter security - firewalls - is a necessary part of the whole, but falls perilously short of being an overall security solution. For network operators, I believe it easier to define what your perimeter is. One problem is that it is so big and so difficult to control; the other is, once you have it, what does this actually mean? As a carrier, - you have your own security needs / policies - each of your customers has security needs / policies and these do not necessarily overlap fully, so knowing your own perimeter may not be so useful in finding a security solution. Some carriers I know have started completely "virtualizing" their networks (using MPLS or whatever) to offer each customer their own security domain. For customer, read large customers, or a set of customers with a similar set of security requirements, e.g. dialup users. Then you would need a perimeter control device (firewall) only where security domains intersect. This could be one way to go, though it (I believe) does not scale well. Another way could be to fall back to host security completely, and when in doubt treat any network as hostile. I see some aggressively growing companies doing this, because with a flurry of international investments and disinvestments, they have long last lost any sense of what is internal and external. This is obviously time-consuming in systems administration, and could possibly lead to a recurrence of phenomena like the Internet worm in the old times (i.e. one single vulnerability opens up 10e6 victims immediately, something firewalls were supposed to cure back then). So, personally I am just as confused as 10 years ago, just on a much higher level :-) Just my 2 (euro)cents, Martin -- atsec information security, http://www.atsec.com