[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec vs. firewalls
Phil Karn wrote:
>
> Damien,
>
> It's an old battle, and Steve and I are used to sparring over it in a
> friendly fashion.
>
> Firewalls are useful as temporary stopgaps when you're actually under
> attack, but they try to do what can only be done properly on an
> end-to-end basis. And to the extent that they give people a false sense
> of security, firewalls actually diminish security.
>
> Steve and his co-author Bill Cheswick refer to this as the "hard
> exterior with a chewy interior" property of many firewalled networks.
>
The problem is that for a corporate network of any substantial
size, there will *never* be a way to make the interior
crunchy.
Working, as I do, for a very large enterprise (250K addressable
objects), I can't see any way to fix this. In smallish
enterprises, where security policy is enforceable, you can
certainly tear down the firewalls. In a large one, you
don't stand a chance.
One could argue "if you don't abide by the security policy,
you're screwing yourself", but in reality, you're screwing
the corporation. That's not a risk I want to take.
While it's true that a significant number of incidents are
internal, in most large enterprises, it's not clear that
they dominate.
Follow-Ups:
References: