Great Circle Associates Firewalls
(September 1995)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: HannaH from SecureWare Inc.
From: Charles Cooley <cooleycd @ jmu . edu>
Date: Fri, 1 Sep 1995 11:22:21 -0400 (EDT)
To: Alan Hannan <alan @ mid . net>
Cc: David Miller <isdmill @ gatekeeper . ddp . state . me . us>, Gary Flynn <gary @ habanero . jmu . edu>, firewalls-owner @ GreatCircle . COM, firewalls @ GreatCircle . COM, adm_lcorea @ VAX1 . ACS . JMU . EDU, foxtrot @ sware . com, oit_cathy @ VAX1 . ACS . JMU . EDU, oit_charles @ VAX1 . ACS . JMU . EDU, oit_dbh @ VAX1 . ACS . JMU . EDU, shan . bell @ sware . com
In-reply-to: <199508312229 . RAA29405 @ gaijin . mid . net>

I should know better than to get into my supervisor's discussion with his 
boss on the CC: list, but ...

Legend:
   alan]   is Alan Hannan
   -dm-]   is David Miller
   gflynn] is Gary Flynn

-dm-] I'm not familiar with this particular product.  That said, I'd like to 
-dm-] address a couple of point that you make about it.
...
-dm-] Second, the whole reason people put the soft chewy center in the middle 
-dm-] of a very hard shell is so there is a single access point to be 
-dm-] administered.  It's one thing to get a good security person to 
-dm-] manage/monitor the firewall through which all traffic flows.  It's 
-dm-] another thing altogether (usually thought impossible in any sizeable 
-dm-] installation) to try and have many administrators adequately secure 
-dm-] their systems.

Troy had strong walls and a decent army and so believed they were safe.
A more vigilent night watch, was called for since the city was surrounded.
"Soft chewy centers" behind a single line of defense are very dangerous. 

gflynn] This Hannah product looks like what I've been looking for. It puts
gflynn] "network security" where it belongs...on the nodes. I liken this
gflynn] to putting locks on building doors rather than gates across
gflynn] heavily traveled roads. Then the communications infrastructure
gflynn] can be upgraded and used as intended...as a communications highway.
gflynn] Problems with firewall throughput go away.
 
alan]  Sure, let's just open up the bloody borders of our country to anyone, we
alan] wouldn't want to impede any travel, would we?  Heavan forbid Iraqis 
alan] should actually have to stop at the border to our country, we should 
alan] allow them and all others to come in unimpeded.  Geez.

While I agree that firewalls are an important defense to provide overall 
site security, it's not enough.  The impression that I am getting from the
two responses to Gary's message, is that firewall and other network security
are significantly more important than individual host security mechanisms.

The national border analogy provides a natural counter argument.  Even 
countries with strong a strong military and secure borders, still maintain
an internal police force and in larger communities individuals make sure
that their door is locked.  

HannaH is designed to provide the "internal" security that most firewall 
based security strategies don't address.  A significant portion of the
security breaches are not from "foreigners" but from discontented and 
anti-social "natives" in the electronic world.  

gflynn] Is anyone else excited about this product or am I missing something?

alan]  Quite obviously, one that thinks individual host security should have
alan] more emphasis than network security has never tried to implement such a
alan] policy.  More clearly, one who thinks indiv. hosts are more important
alan] than network security has no concept of time=money.

I believe that HannaH should be viewed as an alternative to Virtual LAN 
security schemes instead of firewalls and one of the complaints about
Virtual LANs is maintainability.

If you want to talk about time and money and their relation to the size
of the network, don't forget that a larger network means a larger center.

One of HannaH's advantages is that it provides a mechinism to provide 
security based on the identity of a person rather than a host.  The old
Internet concept of host is out of date.  Hosts were multi-user systems
owned and MANAGED by organizations and individual people were 
authenticated by those hosts.  With the proliferation of PC class 
systems, many systems connected to networks are single user systems.
The old assumptions about security (like the "secure" ports below 512/1024)
can be vary dangerous.

On our campus, we are already doing packet filtering at the routers, and
eavesdrop protection, etc. at the hubs.  In our environment, the same 
network and even the same machine may be used by students, faculty and 
staff for any number of different tasks.  A mixed population which can 
not be phyically separated poses a problem that is significantly more 
complex than the "us" vs "them" situation.

Charles Cooley
Network Analyst



Follow-Ups:
Indexed By Date Previous: Re: HannaH from SecureWare Inc.
From: shields @ tembel . org (Michael Shields)
Next: Re: FW: Programming
From: Ted Stockwell <stockwel @ sctc . com>
Indexed By Thread Previous: Re: HannaH from SecureWare Inc.
From: shields @ tembel . org (Michael Shields)
Next: Re: HannaH from SecureWare Inc.
From: woods @ ncar . ucar . edu (Greg Woods)

Google
 
Search Internet Search www.greatcircle.com