[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec vs. firewalls
>the node, (and we'll not quibble over the span of control issues on
>who gets to set the policy screens) then I think that firewalls
Actually, this "quibble" is the crux of the issue. End users detest
firewalls precisely because they don't control them. When a firewall
gets in their way, the usual answer from the networking staff is
"tough". Even if the staff is halfway reasonable, the tables usually
have to be modified manually, and that's a pain if you're trying to do
something in the middle of the night from home.
This merely provokes the users into setting up secret back doors and
tunnels so they can get their work done. The result can be a seemingly
secure firewall riddled with hidden wormholes that may or may not
create hidden security vulnerabilities.
There are several morals here. The most important is that security
policies that piss off your users are invariably counterproductive.
Another is that the Internet architecture gives so much power to the
hosts that the network just can't force two consenting parties to
communicate only in a certain way. This is a sort of "firewall
corollary" to John Gilmore's famous line about the Net interpreting
censorship as damage and routing around it.
The Internet architecture has been extremely effective in keeping the
telcos in their place. They're desperate to keep the total control
that POTS gave them. Most of them still don't grok that they'll never
control the Internet no matter how hard they try.
And as the Internet has grown, certain elements of the infrastructure
are taking on the unfortunate attributes of the telcos. Cable
companies providing Internet connectivity are a good example. The
network (and firewall) operators in certain large companies are
another.
Fortunately, the Internet architecture will help us keep them all down
in their places along with the telcos. :-)
Phil
References: