[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC requirements



>Well, it seems obvious to me that Marcus has expanded the definition of
>"firewalls" far beyond the usual term.

	OOps, sorry. I suggest you read something about what's
being done in "firewalls" these days -- most of the concepts
I present are not new, nor are they unique to me, though I
did have something to do with their formation. Check our Cheswick
and Bellovin's book for a good intro.

>Please call it something else.  Most of us don't mean this when we say
>"firewall".  A firewall is an IP level concept.

	 Generally, when you're talking to folks who are doing
firewalls, you may find that "Firewall" != "router + screening"
100% of the time. Perhaps you may wish to call them something
else, or perhaps you may wish me to call them something else,
but the term "firewall" has a fairly wide interpretation these
days. It's best to understand that, to prevent confusion, which
was the purpose of my previous missive.

	Perhaps one should distinguish between application
level firewalls and IP level firewalls. In future discussion
here, I will do that to reduce confusion.

	Let's avoid a battle of definitions if possible. It's
too late to change the use of the word "firewall" in the
firewall community to meet your understanding. (Many of us
call an IP level "firewall" a "screening router")

>authentication has to be done _outside_ the host.  If you are doing it
>offline on a calculator, then _you're_ the trusted host.  Why waste the
>time?  Just connect your trusted host directly.

	No, if you're using offline authentication, then you are
a trusted party, possibly using an untrusted host. There's a big
difference. I could be using, say, a version of telnet that logs
all my keystrokes and my session encryption key, but if my offline
authentication is tamper-proof, then an attacker will have a
lot of trouble pretending to be me when creating a different
session. [The current session could be completely compromised,
of course. If I were a "trusted host" personally, then I'd be
using only my own software that I could trust, etc, etc]

>> 	Your PPP node is then part of your VNP, even though
>> you're not encrypting/authenticating your traffic. So your
>> firewall is trusting your PPP node. What do you do if you
>> are logged onto an *untrusted* outside node?? Presumably when
>> you are, then you have to do something more elaborate to get
>> through your firewall, no?
>>
>HUH?  How could I be "logged onto an *untrusted* outside node"?  This is
>self-contradictory.
>
>If I am logged in, I must have authenticated.  If I can authenticate,
>the node must be trusted.  Otherwise, it wouldn't have my authentication
>information.

	Terminology confusion again. "Logged on" in the above
statement means "on the machine" -- could be a guest account, a
guest terminal server at a conference, whatever. The host in
question may not have your authentication information and may,
in fact, have no idea who you are -- you could be "conference
guest login #1"

	In such a case, I can't see any reason (unless you
were trying to bring individual users into the VNP) why you would
wish to have authentication information on an untrusted host,
unless the authentication protocol was robust enough that it
couldn't be harmed if that host were already compromised.

>> 	If all you're trying to do is build bigger,
>> better firewalls, then definitely, there's no reason
>> not to use your own trusted laptop. :) You're not making
>> the firewall go away -- you're just inventing a magical
>> way of moving your laptop (virtually) behind the firewall.
>>
>Again, this makes no sense to me.  Using Mobile-IP or some such
>mechanism to authenticate myself has no relation to "firewalls".
>The Home Agent is not a "firewall".  It is a "router".

	It's useless to quibble about terminology, I'm sorry.
Whatever you want to call it, it's part of your security perimeter
and it's part of the mechanism that enforces the integrity of
your perimeter. It may be a "router" but that's an implementation
detail.

	Whatever terms you care to substitute in place of mine,
the effect of my statement remains: you're not solving any
access problems; you're just hiding them by logically moving
everything into your security perimeter. That's fine. In
the language of firewalls you're not making the firewall
go away, you're just moving everything you own behind it.

>Just as we don't call routing forwarders "gateways" anymore, because the
>term was taken by application level, please don't use the term
>"firewall" for authentication at any level.  Firewalls do not do
>authentication.

	Sorry, but my "firewalls" do authentication. Let's
accept that there's not a standard language and just work with
the concepts, OK? I won't try to tell you what you can and
can't call a router if you don't try to tell me what a "firewall"
is. :) From your reaction to my earlier mail, you understood
what I was saying; that is sufficient.

mjr.


Follow-Ups: