Marcus Ranum Interview on SecurityFocus

Several People, including Stephen Tolouse, picked up this great interview with Marcus Ranum:
http://www.securityfocus.com/columnists/334/3

Here Marcus says also that he does not agree with the approach of De-Perimeterisation (moving the firewall from a centralized position to each host).
I admire him and respect him a lot, but I see that he can't imagine a world wihout firewalls, being one of the fathers of the firewalling technology…. 🙂
But that's provoking. I mean it's just a tease to say that we don't need firewall at all.
Firewall is still necessary, but it will slowly loose its centrality, that's more the point, IMHO.
Attacks will and DO happen more at the application level only, to the point where you pass THOROUGH a firewall anyway, with those ports that are open everywhere (HTTP anyone ?).
So we should harden the machine and protect them LIKE IF there was no firewall.

I do like the De-Perimeterisation instead, like Steve riley says in the "death of the DMZ" (Italian Article/Translation here – Original Speech here).
Sure, ONLY taking care of the data is not enough, and the problem of Transitive Trust he mentions makes sense.
But again, ask 100 to get 10. If you push it to the extreme limit (=no firewall at all) you maybe get people to HARDEN their machines finally.
Then if you got both (hardening AND firewalls)…. well, that's better.
I think at the end of the day what really counts is INCREASING the security measures TO THE HOST level…. so you don't *just* rely on a firewall like many corporations have been convinced to be able to do for years… while being wide open in the soft center with a crunchy shell….




One thought on “Marcus Ranum Interview on SecurityFocus

  • July 13, 2005 at 2:54 pm
    Permalink

    I think it just poils down to what many have been preaching for a long time. "Defense in depth". Firewalls, internal permitiers, ids (ips?), syslog monitoring, patching, anti-virus, switch acls, multi-factor authentication, host hardening, are rather like the instruments in a symphony. One would never think of having an orchestra with just clarinets, or just tubas! What a ridiculous idea. In order to have the high melody you need violins, flutes, clarinets, piccalos etc. In order to have decent bass you need tubas, baritones, bass clarinets, cellos, string bass, bassoons, etc. The same applies to security. There are many methods attack, so one needs many methods of defense in one's aersonal. The more defenses you employ, the harder the attackers life will be.

    Thomas

Comments are closed.

%d bloggers like this: