North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Telco's write best practices for packet switching networks

  • From: Christopher L. Morrow
  • Date: Wed Mar 06 10:08:00 2002

On Wed, 6 Mar 2002, Ron da Silva wrote:

> On Wed, Mar 06, 2002 at 09:41:55AM -0500, Steven M. Bellovin wrote:
> >
> > In message <[email protected]>, Eric Brandwine writes:
> >
> > >
> > >Firewalls are good things for general purpose networks.  When you've
> > >got a bunch of clueless employees, all using Windows shares, NFS, and
> > >all sorts of nasty protocols, a firewall is best practice.  Rather
> > >than educate every single one of them as to the security implications
> > >of their actions, just insulate them, and do what you can behind the
> > >firewall.
> > >
> > >When you've got a deployed server, run by clueful people, dedicated to
> > >a single task, firewalls are not the way to go.  You've got a DNS
> > >server.  What are you going to do with a firewall?  Permit tcp/53 and
> > >udp/53 from the appropriate net blocks.  Where's the protection?  Turn
> > >off unneeded services, chose a resilient and flame tested daemon, and
> > >watch the patchlist for it.
> >
> > Precisely.  You *may* need a packet filter to block things like SNMP
> > (to name a recent case in point), but a general-purpose firewall is
> > generally the wrong solution for appliance computers.

There is no need to drop traffic for things that aren't listening. Eric's
point was you deploy your fancy-dan mail server with ONLY 22 and 25
listening, you know that's all  that's listening and your
daily/hourly/weekly/monthly automated audits tell you this continually and
alert when there are problems/deviations.  So, why filter anything in this
case? It's wasted bandwidth/processing power.

> Hmm...but certainly part of the right solution for a general "appliance"
> network.

If you run a little network where you know 'precisely' the ins and outs
there isn't any reason NOT to have a firewall, IMHO. At the very least for
logging/auditting info it's a must. For a backbone filtering is another
story entirely. Filtering backbone equipment for it's protection is also a
completely different topic...