Group 2 Application Gateways and Firewalls Group 2 Members o Steve Crocker o Jon Crowcroft o Steve Deering o Paul Francis o Van Jacobson o Phil Karn o Allison Mankin o Radia Perlman o John Romkey o Mike St. Johns Application Gateways are Evil Application firewalls... o restrict IP connectivity and thus damage net o restrict new applications o require double login o don't fit within the architecture o are potential single points of failure o are potential performance bottlenecks o promote sloppier administration of "protected" hosts o don't provide complete protection, e.g., letter bombs, etc. Application Gateways are Necessary o Provide a first line of defense o Explicit list of permitted applications o Focus energy and resources for security o Keep up with latest threats, solutions Application Gateways are Popular o At least four offerings - Raptor Eagle - DEC Seal - ANS Interlock - TIS Firewall toolkit (FWTK) o General perception by business that open connection to Internet is poor practice o >1,000 retrievals of TIS FWTK in less than 6 months Challenge Is there a way to bring firewalls and gateways into the security architecture? Two ideas explored: o Application level redirections o IP level challenges, redirections