[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSEC requirements

To: kent@BBN.COM, mohta@necom830.cc.titech.ac.jp
Subject: Re: IPSEC requirements
From: Marcus J Ranum <mjr@tis.com>
Date: Tue, 6 Sep 94 18:00:33 EDT
Cc: ipsec@ans.net

>	Finally, yes, we do agree that application-dependent firewalls
>are a long term problem because they require tracking evolving
>applications and the intermediate implementation of these applications
>may loose functionality for the users.

	I know I seem like I'm throwing a lot of wrenches into the
works, but I'd like to point out that there are lots of good reasons
for using restrictive application-dependent firewalls. That, in fact,
is why I was careful to open the discussion on trust boundaries in
IPSEC versus firewalls.

	A network security system is more than just a bunch of
components; it has to be looked at in its completeness. Having an
IP-layer firewall that permits arbitrary traffic between members
of the VNP is going to address a lot of problems, but it doesn't
help out with the problems of safely (or as safely as possible)
communicating with hosts that are *outside* the VNP. In that case,
an application-dependent firewall may be a very good thing,
since it presumably will "understand" what kinds of operations
should or should not be permitted across it. An IP-level firewall
will simply deal with "this connection is OK" or "this connection
is not" --- which is insufficient if you're dealing with normal
UNIX host security.

	After all, the best network security in the world isn't
worth a plugged nickle if an outsider can talk to sendmail running
in daemon mode as root on your system. :)

	So, while the application-dependent firewall is a pain in
the neck, it's a more conservative approach, and there may well
be good reasons for doing things that way.
"tracking evolving applications and the intermediate implementation
of these applications"
	also means leaving oneself open to being reamed by the often
gaping holes in said applications. Some of us *can't* afford to do
that. That's one of the problems with peer-to-peer networking
utilities -- they're often terribly badly designed from a security
perspective. That's why a number of folks in the firewalls biz
(myself included) build our firewalls to block *ALL* network
level traffic. IP applications can't be trusted to be reliable.
Trusted host-to-host networking means your security is only as
good as your host software -- i.e.; generally terribe, and nothing
anyone would want to rely on to protect their network. Interjecting
an irritating piece of carefully designed application gateway
permits a degree of control and audit over an otherwise messy
situation.

	Clearly what is needed are strong mechanisms for building
host-to-host trust and VNPs. Side by side with them we need strong
mechanisms for isolating and mediating access between the network
perimeter and unstrusted networks.

mjr.

Follow-Ups:

IPSEC requirements

From: jfjr@mbunix.mitre.org (Freedman)

Prev by Date: Re: IPSEC requirements
Next by Date: Re: IPSEC requirements
Prev by thread: Re: IPSEC requirements
Next by thread: IPSEC requirements
Index(es):
- Main
- Thread