Re: ipsec vs. firewalls

["Marcus Leech" <Marcus.Leech.mleech@nt.com>]

Phil Karn wrote:
> 
> Damien,
> 
> It's an old battle, and Steve and I are used to sparring over it in a
> friendly fashion.
> 
> Firewalls are useful as temporary stopgaps when you're actually under
> attack, but they try to do what can only be done properly on an
> end-to-end basis. And to the extent that they give people a false sense
> of security, firewalls actually diminish security.
> 
> Steve and his co-author Bill Cheswick refer to this as the "hard
> exterior with a chewy interior" property of many firewalled networks.
> 
The problem is that for a corporate network of any substantial
  size, there will *never* be a way to make the interior
  crunchy.

Working, as I do, for a very large enterprise (250K addressable
  objects), I can't see any way to fix this.  In smallish
  enterprises, where security policy is enforceable, you can
  certainly tear down the firewalls.  In a large one, you
  don't stand a chance.

One could argue "if you don't abide by the security policy,
  you're screwing yourself", but in reality, you're screwing
  the corporation.  That's not a risk I want to take.

While it's true that a significant number of incidents are
  internal, in most large enterprises, it's not clear that
  they dominate.

---

Follow-Ups:

• Re: ipsec vs. firewalls
• From: Dan Stromberg <strombrg@hydra.acs.uci.edu>

References:

• ipsec vs. firewalls
• From: Steve Bellovin <smb@research.att.com>
• Re: ipsec vs. firewalls
• From: Damien Wetzel <dwetzel@iway.fr>
• Re: ipsec vs. firewalls
• From: Phil Karn <karn@homer.ka9q.ampr.org>

---

• Prev by Date: Re: question about tunnel mode
• Next by Date: Re: 3DES (was: ipsec vs. firewalls)
• Prev by thread: Re: ipsec vs. firewalls
• Next by thread: Re: ipsec vs. firewalls
• Index(es):
  • Main
  • Thread