[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipsec vs. firewalls



Marcus Leech wrote:
> 
> Phil Karn wrote:
> >
> > Damien,
> >
> > It's an old battle, and Steve and I are used to sparring over it in a
> > friendly fashion.
> >
> > Firewalls are useful as temporary stopgaps when you're actually under
> > attack, but they try to do what can only be done properly on an
> > end-to-end basis. And to the extent that they give people a false sense
> > of security, firewalls actually diminish security.
> >
> > Steve and his co-author Bill Cheswick refer to this as the "hard
> > exterior with a chewy interior" property of many firewalled networks.
> >
> The problem is that for a corporate network of any substantial
>   size, there will *never* be a way to make the interior
>   crunchy.

I have to disagree.

Eventually, I believe it is reasonable to expect that vendors will
automate patch application, and that patches will be obtained from the
vendor over the network.  In fact, I expect that part of configuring a
machine will include an e-mail address of who to e-mail if a patch
application fails, or requires operator intervention.

In fact, in the future, I believe that bugs that are so deep rooted in a
box's software that it cannot be automatically updated (and perhaps bugs
that require a reboot to patch), will be the only security bugs many
sites worry about.

IPSEC makes this less scary, but it's quite possible without IPSEC.


Follow-Ups: References: