[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: F1000 requirements?

To: "Soliman Hesham" <H.Soliman@flarion.com>, "Erik Nordmark" <Erik.Nordmark@sun.com>
Subject: RE: F1000 requirements?
From: "Fleischman, Eric" <eric.fleischman@boeing.com>
Date: Tue, 4 May 2004 08:46:19 -0700
Cc: "Multi6 List" <multi6@ops.ietf.org>

Hesham,

>I assume F1000 companies, indeed all companies, have 
>firewalls. So why is it important to hide addresses?

I note Brian's guidance, so I'll quickly respond to your query and then go off-list with this topic:

An algorithmic change occurred during the late-1990s as to the nature of what an Autonomous System is. Previously businesses put a wall around their infrastructures and delineated "us" versus "them" relationships. This idea is the basis for defining ASes and the policy concepts embedded within BGPv4. Firewalls are well suited to enforcing this mentality. 

However, starting in the mid-1990s businesses began to form close cooperative relationships (e.g., on issues such as streamlining supply chains) that required the sharing of internal processes and systems with small controlled sets of external business partners. Large companies have many such relationships, each different from the other because each such relationship is specific. 

Coupled with this were a number of legal changes impacting corporations and controlling issues such as privacy and (in the USA and several other countries) ITAR. These Laws put restrictions on what internal employees can see and do in regards to each other.

This change in business algorithm, when coupled with the changing legal environment, implies the need for security zones or distributed firewalls where devices and individuals are protected/controlled on a fine grained policy basis (e.g., role based access control (RBAC)). 

Large corporations have been explicitly trying for at least the past 5 or 6 years to evolve their perimeter defense systems from the old fashioned firewall mentality to the new security zone (or distributed firewall) mentality, where the "firewall" access control protections reach deep within the corporation. Corporations have cumulatively tried (and deployed) all sorts of technologies to do this. Despite this, this topic is still an active research domain with plenty of room for further maturity.

The need to hide addresses stems from the fact that these changes have made the corporate perimeter increasingly porous at a time when electronic-based attacks are also increasing. Address hiding has always been a central part of a corporation's defense in depth security strategy (i.e., firewalls used to do this for us), because it is harder to attack something that you can't see (or don't know about). This historic requirement has increased in importance given the current business and legal environment.

--Eric

Prev by Date: When is a wedge a wedge? [Re: architecture draft]
Next by Date: using the received source address as destiantion locator (was RE: architecture draft)
Previous by thread: RE: F1000 requirements?
Next by thread: Re: Incoming Message
Index(es):
- Date
- Thread