[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalls-gc
Subject: Re: Questions for firewall users
From: "Johnson-Bryden, Ian" <IJB () saicuk ! co ! uk>
Date: 1994-08-31 14:00:00
[Download RAW message or body]
Whether the Internet becomes the de facto Information Superhighway through
user support and technical evolution, or eventually another different
international system is developed to replace it, the demand for global
communication will only grow.
The Internet provides a range of benefits which still outweigh the problems
which it presents. For many users, this includes the current level of
security threats, but Greg is right in saying that the threats have grown
since the early years. The system is also being used differently today. The
early academic users and other pioneers are now becoming the minority user
group as the popularity of the Internet grows. The new users are coming from
the commercial sector and early domestic (SOHO) users and have different
user interface and service expectations. This will most probably change the
market in much the same way as the UNIX market changed through a similar
process of market growth from academic pioneers to general commercial use.
The new Internet users are also introducing the opportunity for real
computer crime, as opposed to early computer criminals who were mainly
motivated by boredom, or intellectual excitement. Once criminals fully
appreciate the opportunties for interdicting commercial communications, some
serious money and effort will be directed at breaking Internet security.
There is some evidence that this process is already well advanced and just
becoming appreciated.
You could argue that no one should link to the Internet other than via a
Firewall, but there are some users who would decide to accept current threat
levels and may be able to create an economic case for not having any form of
system security. After all, most IT users ignor security completely in the
same way that few organisations take any fire or safety precautions unless
there is legislation which forces them to act.
You should argue that a Security Policy is built on the basis of risk
analysis, fully maintained and used to determine what risk reduction
measures should be adopted to meet the specific needs of the enterprise.
Those needs will probably not be fully met by implementing only a firewall.
Equally, the use of an 'air gap' internet host will probably not allow you
to achieve your enterprise objective most effectively, because one major
benefit of the Internet is accessibility - not assisted by a lack of any
physical connection. So both the people who advocate Firewall and the people
who advocate NO connection to the Internet for internal systems may be
wrong, although it is possible that either could be right in some specific
circumstances.
The only thing that you can be reasonably sure of is that nothing remains
unchanged and therefore it is most unlikely that the security system you
implemented today will still be effective tomorrow without any changes.
Inevitably those changes will be visible to existing users to some extent.
The one significant area which we do not generally address today is
applicable legislation. That is not surprising because very little exists
today and increases some risks because there are virtually no legal
sanctions and protections. When we do see legislation eventually, it will
almost certainly force us to make a number of changes to existing systems,
but we cannot forecast what those changes will be. Having recently read
three government studies (from different governments) into Information
Superhighways, I can see that some of the possible changes will not assist
the Internet. All three studies were produced for internal discussion to
assist the process of development funding and the drafting of legislation.
All reports dismissed the Internet as a 'toy' system populated by an
undisciplined rabble - maybe they just read some flame mail somewhere - but
concluded that the development of real Information Superhighways should be
of the highest priority in the economic and social interest. The other area
of accidental aggreement was that the joint major barriers to use were a
lack of legislation and a lack of security.
How much we can and should influence legislation and Superhighway
development is open to debate. What we can be sure of is that there are a
host of opportunities and an army of risks marching out there into the
future and how ever hard we may try to 'get it right first time' our best
efforts will require improvement at some stage after implementation. In a
period of very rapid change it may even force changes during implementation,
but that does not mean that someone did a bad job to start with.
Ian J-B
----------
From: firewalls-owner
To: firewalls
Subject: Re: Questions for firewall users
Date: 30 August 1994 11:05
> Marcus J. Ranum writes:
> Really, one shouldn't be connected in the first place without
> having already done all that stuff. You only run into the problem of
> having users complaining that things have changed if you did it wrong
> the first time.
This is easy to say, but there are many of us who have been connected
to the Internet for a long time. Long enough that when we first got
connected, there really wasn't a "hacker problem". The Internet was
new then and hardly anyone knew its intricacies and those who did
were mostly trustworthy. We can hardly be faulted because we failed to
predict the future accurately. So doing it "wrong" the first time
is, IMHO, a value judgment based on 20/20 hindsight.
I am not trying to start a flame war here, just pointing out that
you can also get into the problem of having to force users to accept
changes due to circumstances completely beyond your control, such
as, the net has changed a lot since we first hooked up. And therefore,
discussing how to break changes to users is an appropriate subject
for potential firewall administrators to discuss and the fact that
it is necessary to discuss it does not necessarily indicate poor planning
or incompetence on the part of those administrators.
--Greg
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic