G
Greg Goodman
Ralph,
First, let me say that I agree with your assessment that firewalls are necessary components of an overall computer security strategy, if insufficient in themselves to provide total security.
However, I disagree with your interpretation of the Maginot Line analogy...
> > > Firewalls are the Maginot lines of the Internet.
[snip]
> However, the firewall's purpose is not to
eliminate all security risks related to the Internet. The firewall's purpose
is to prevent
specific kinds of communications [across a network boundary] from occuring. <
Nor was the Maginot Line intended to eliminate all the possible threats to the integrity of a sovereign nation. It was designed to prevent the transport of a particular threat across a particular boundary.
> Firewalls won't stop denial of service
attacks for instance. [snip] Firewalls won't address internal security
problems such as disgruntled ex-employees with old accounts that are never
disabled. <
Just as the Maginot Line (or any other perimeter defense) won't prevent a run on the National Bank or a coup d'etat by disaffected military veterans. If your overall security must encompass these threats, you must put into place
other, additional measures: rational monetary policy, good internal intelligence, social and political structures that promote loyalty among the police...
I see the failure of the Maginot Line as a useful object lesson, on par with the Polish Cavalry's failure against the German tank corps and other well-known attempts to meet a new threat with old technology.
The term "firewall" is itself a metaphor, and doesn't imply any specify mechanism for implementing the protections it provides. What does your firewall do? It's not as if firewall technology isn't evolving to meet new threats. (I guarantee that if you're still using the same firewall setup today that you thought was adequate three years ago, then you are vulnerable today to threats you didn't know about then.)
My point is that we should constantly re-assess our solutions as the problem - or even just our understanding of it - changes. After all, we're engineers, that's what we do; design and deploy solutions to the problems we know or anticipate, then evolve the solutions to deal with whatever comes up that we didn't see coming.
Regards,
Greg Goodman
Chiron Consulting
First, let me say that I agree with your assessment that firewalls are necessary components of an overall computer security strategy, if insufficient in themselves to provide total security.
However, I disagree with your interpretation of the Maginot Line analogy...
> > > Firewalls are the Maginot lines of the Internet.
[snip]
> However, the firewall's purpose is not to
eliminate all security risks related to the Internet. The firewall's purpose
is to prevent
specific kinds of communications [across a network boundary] from occuring. <
Nor was the Maginot Line intended to eliminate all the possible threats to the integrity of a sovereign nation. It was designed to prevent the transport of a particular threat across a particular boundary.
> Firewalls won't stop denial of service
attacks for instance. [snip] Firewalls won't address internal security
problems such as disgruntled ex-employees with old accounts that are never
disabled. <
Just as the Maginot Line (or any other perimeter defense) won't prevent a run on the National Bank or a coup d'etat by disaffected military veterans. If your overall security must encompass these threats, you must put into place
other, additional measures: rational monetary policy, good internal intelligence, social and political structures that promote loyalty among the police...
I see the failure of the Maginot Line as a useful object lesson, on par with the Polish Cavalry's failure against the German tank corps and other well-known attempts to meet a new threat with old technology.
The term "firewall" is itself a metaphor, and doesn't imply any specify mechanism for implementing the protections it provides. What does your firewall do? It's not as if firewall technology isn't evolving to meet new threats. (I guarantee that if you're still using the same firewall setup today that you thought was adequate three years ago, then you are vulnerable today to threats you didn't know about then.)
My point is that we should constantly re-assess our solutions as the problem - or even just our understanding of it - changes. After all, we're engineers, that's what we do; design and deploy solutions to the problems we know or anticipate, then evolve the solutions to deal with whatever comes up that we didn't see coming.
Regards,
Greg Goodman
Chiron Consulting