[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipsec vs. firewalls
Marcus Leech wrote:
>
> Phil Karn wrote:
> >
> > Damien,
> >
> > It's an old battle, and Steve and I are used to sparring over it in a
> > friendly fashion.
> >
> > Firewalls are useful as temporary stopgaps when you're actually under
> > attack, but they try to do what can only be done properly on an
> > end-to-end basis. And to the extent that they give people a false sense
> > of security, firewalls actually diminish security.
> >
> > Steve and his co-author Bill Cheswick refer to this as the "hard
> > exterior with a chewy interior" property of many firewalled networks.
> >
> The problem is that for a corporate network of any substantial
> size, there will *never* be a way to make the interior
> crunchy.
I have to disagree.
Eventually, I believe it is reasonable to expect that vendors will
automate patch application, and that patches will be obtained from the
vendor over the network. In fact, I expect that part of configuring a
machine will include an e-mail address of who to e-mail if a patch
application fails, or requires operator intervention.
In fact, in the future, I believe that bugs that are so deep rooted in a
box's software that it cannot be automatically updated (and perhaps bugs
that require a reboot to patch), will be the only security bugs many
sites worry about.
IPSEC makes this less scary, but it's quite possible without IPSEC.
Follow-Ups:
References: