On Wed, 20 Jan 1999, Schaar, Norbert wrote:
> I assume this problem has or will have the majority of companies worldwide.
> But, you don't find any documentation describing firewall architectures
> which you simply apply. There's no all-in-one solution or something like
> this, even if most secrurity companies claim to have one.
True.
There can't be such an all-in-one solution because "EC" is not a
technical term. EC can be done in many, technically very different ways.
The first secure EC system I built many years ago was mail based. From
the firewall point of view it was simple mail and didn't need any special
care. For example CORBA based EC is very different.
> Always, if you'd
> like to secure applications, services and communications it's essential to
> take a look behing the scenes: How does the communication work? Where are
> potential exploints? Could I proxy the aaps? What about NAT? Consider
> everything, even if you already have an installed firewalling complex.
It is very common to develop and deploy an application _and_ _then_ start
thinking about security. IMHO this is a very bad idea.
Security has to be kept in mind from the very beginning of an application
project. Different technologies have very different security
characteristics, so it is very important to choose the right technology
first. During the whole development process thinking about security is
necessary. For example CORBA based EC can be done in a secure manner. You
have to think about an IIOP firewall, about authentication,
authorisation, message protection and more. Building a secure CORBA
application is not simple, but it can be done.
But securing e.g. an existing DCOM based distributed application is
impossible.
> For you problem with access of externals to internal ressources, I would
> suggest usage of encryption (for integrity of your data), certificate
> techniques (for authentication and authorization of each individual) and
> directory services (for access control to particular hosts, services, files
> and directories).
I would be more general: strong authentication and message protection are
needed in all cases. How this is done depends on the circumstances: The
application, the risks and so on. You mention certificates. Public key
based encryption is usefull in many cases, but it is not applicable
everywhere. For example it is too "heavy" for tightly coupled object
systems with many connects.
Authorization is too often ignored. Many applications programmers overlook
that systems like SSL don't provide any authorization. The clients
authenticate for example to a CORBA server. But then they can invoke all
operations on all objects on this server. This is a very typical
security flaw of CORBA based systems and can't be fixed at the firewall. The
enforcement of authorisation has to be integrated into the application.
Using directory services for security is IMHO still a little bit
risky. They might be secure enough for IntraNet use, but I'm not sure
whether I'd allow others to access such services. It depends.
What we need is an integrated and secure application system, not just a
firewall which supports some application protocols.
> For sure, nobody is interested in broadcasting his solution in detail,
> because secret is one part of security.
No, not at all!
Security by obscurity doesn't work. Security has to be based on the
strength of your mechanism. A good security system can be public except
some secrets like passwords and keys.
The real reason for not broadcasting a solution is simply competition.
Rudi
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
