[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: Questions for firewall users
From:       "Johnson-Bryden, Ian" <IJB () saicuk ! co ! uk>
Date:       1994-08-31 14:00:00
[Download RAW message or body]


Whether the Internet becomes the de facto Information Superhighway through 
user support and technical evolution, or eventually another different 
international system is developed to replace it, the demand for global 
communication will only grow.

The Internet provides a range of benefits which still outweigh the problems 
which it presents. For many users, this includes the current level of 
security threats, but Greg is right in saying that the threats have grown 
since the early years. The system is also being used differently today. The 
early academic users and other pioneers are now becoming the minority user 
group as the popularity of the Internet grows. The new users are coming from 
the commercial sector and early domestic (SOHO) users and have different 
user interface and service expectations. This will most probably change the 
market in much the same way as the UNIX market changed through a similar 
process of market growth from academic pioneers to general commercial use. 
The new Internet users are also introducing the opportunity for real 
computer crime, as opposed to early computer criminals who were mainly 
motivated by boredom, or intellectual excitement. Once criminals fully 
appreciate the opportunties for interdicting commercial communications, some 
serious money and effort will be directed at breaking Internet security. 
There is some evidence that this process is already well advanced and just 
becoming appreciated.

You could argue that no one should link to the Internet other than via a 
Firewall, but there are some users who would decide to accept current threat 
levels and may be able to create an economic case for not having any form of 
system security. After all, most IT users ignor security completely in the 
same way that few organisations take any fire or safety precautions unless 
there is legislation which forces them to act.

You should argue that a Security Policy is built on the basis of risk 
analysis, fully maintained and used to determine what risk reduction 
measures should be adopted to meet the specific needs of the enterprise. 
Those needs will probably not be fully met by implementing only a firewall. 
Equally, the use of an 'air gap' internet host will probably not allow you 
to achieve your enterprise objective most effectively, because one major 
benefit of the Internet is accessibility - not assisted by a lack of any 
physical connection. So both the people who advocate Firewall and the people 
who advocate NO connection to the Internet for internal systems may be 
wrong, although it is possible that either could be right in some specific 
circumstances.

The only thing that you can be reasonably sure of is that nothing remains 
unchanged and therefore it is most unlikely that the security system you 
implemented today will still be effective tomorrow without any changes. 
Inevitably those changes will be visible to existing users to some extent.

The one significant area which we do not generally address today is 
applicable legislation. That is not surprising because very little exists 
today and increases some risks because there are virtually no legal 
sanctions and protections. When we do see legislation eventually, it will 
almost certainly force us to make a number of changes to existing systems, 
but we cannot forecast what those changes will be. Having recently read 
three government studies (from different governments) into Information 
Superhighways, I can see that some of the possible changes will not assist 
the Internet. All three studies were produced for internal discussion to 
assist the process of development funding and the drafting of legislation. 
All reports dismissed the Internet as a 'toy' system populated by an 
undisciplined rabble - maybe they just read some flame mail somewhere - but 
concluded that the development of real Information Superhighways should be 
of the highest priority in the economic and social interest. The other area 
of accidental aggreement was that the joint major barriers to use were a 
lack of legislation and a lack of security.

How much we can and should influence legislation and Superhighway 
development is open to debate. What we can be sure of is that there are a 
host of opportunities and an army of risks marching out there into the 
future and how ever hard we may try to 'get it right first time' our best 
efforts will require improvement at some stage after implementation. In a 
period of very rapid change it may even force changes during implementation, 
but that does not mean that someone did a bad job to start with.

Ian J-B

 ----------
From: firewalls-owner
To: firewalls
Subject: Re: Questions for firewall users
Date: 30 August 1994 11:05

> Marcus J. Ranum writes:

>       Really, one shouldn't be connected in the first place without
> having already done all that stuff. You only run into the problem of
> having users complaining that things have changed if you did it wrong
> the first time.

This is easy to say, but there are many of us who have been connected
to the Internet for a long time. Long enough that when we first got
connected, there really wasn't a "hacker problem". The Internet was
new then and hardly anyone knew its intricacies and those who did
were mostly trustworthy. We can hardly be faulted because we failed to
predict the future accurately. So doing it "wrong" the first time
is, IMHO, a value judgment based on 20/20 hindsight.

I am not trying to start a flame war here, just pointing out that
you can also get into the problem of having to force users to accept
changes due to circumstances completely beyond your control, such
as, the net has changed a lot since we first hooked up. And therefore,
discussing how to break changes to users is an appropriate subject
for potential firewall administrators to discuss and the fact that
it is necessary to discuss it does not necessarily indicate poor planning
or incompetence on the part of those administrators.

 --Greg

[prev in list] [next in list] [prev in thread] [next in thread]