North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Telco's write best practices for packet switching networks

  • From: Eric Brandwine
  • Date: Wed Mar 06 09:33:48 2002

>>>>> "rds" == Ron da Silva <[email protected]> writes:

>> Cool, who has an OC-192 firewall on their control elements?  What is
>> a control element, is that the same as a router or is that a signaling
>> gateway?

rds> Hmm...gotta say it (again).  Of course oc192/10ge firewalls are not
rds> currently widely deployed (aka not a best practice), but they should be!

rds> Of course, folks will argue that you have to pay a lot of extra $$
rds> to make that a reality...kind of like how auto makers argue that you
rds> should pay a lot of extra $$ for the GPS receiver in your car (which
rds> does not COST a lot of extra $$).

Firewalls are good things for general purpose networks.  When you've
got a bunch of clueless employees, all using Windows shares, NFS, and
all sorts of nasty protocols, a firewall is best practice.  Rather
than educate every single one of them as to the security implications
of their actions, just insulate them, and do what you can behind the
firewall.

When you've got a deployed server, run by clueful people, dedicated to
a single task, firewalls are not the way to go.  You've got a DNS
server.  What are you going to do with a firewall?  Permit tcp/53 and
udp/53 from the appropriate net blocks.  Where's the protection?  Turn
off unneeded services, chose a resilient and flame tested daemon, and
watch the patchlist for it.

ericb
-- 
Eric Brandwine     |  It is hard to believe that a man is telling the truth
UUNetwork Security |  when you know that you would lie if you were in his
[email protected]       |  place.
+1 703 886 6038    |      - H. L. Mencken
Key fingerprint = 3A39 2C2F D5A0 FC7C  5F60 4118 A84A BD5D  59D7 4E3E