North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Telco's write best practices for packet switching networks

  • From: Steven M. Bellovin
  • Date: Wed Mar 06 10:33:12 2002

In message <[email protected]>, 
"Christopher L. Morrow" writes:
>On Wed, 6 Mar 2002, Ron da Silva wrote:
>> On Wed, Mar 06, 2002 at 09:41:55AM -0500, Steven M. Bellovin wrote:
>> >
>> > In message <[email protected]>, Eric Brandwine writ
>> >
>> > >
>> > >Firewalls are good things for general purpose networks.  When you've
>> > >got a bunch of clueless employees, all using Windows shares, NFS, and
>> > >all sorts of nasty protocols, a firewall is best practice.  Rather
>> > >than educate every single one of them as to the security implications
>> > >of their actions, just insulate them, and do what you can behind the
>> > >firewall.
>> > >
>> > >When you've got a deployed server, run by clueful people, dedicated to
>> > >a single task, firewalls are not the way to go.  You've got a DNS
>> > >server.  What are you going to do with a firewall?  Permit tcp/53 and
>> > >udp/53 from the appropriate net blocks.  Where's the protection?  Turn
>> > >off unneeded services, chose a resilient and flame tested daemon, and
>> > >watch the patchlist for it.
>> >
>> > Precisely.  You *may* need a packet filter to block things like SNMP
>> > (to name a recent case in point), but a general-purpose firewall is
>> > generally the wrong solution for appliance computers.
>There is no need to drop traffic for things that aren't listening. Eric's
>point was you deploy your fancy-dan mail server with ONLY 22 and 25
>listening, you know that's all  that's listening and your
>daily/hourly/weekly/monthly automated audits tell you this continually and
>alert when there are problems/deviations.  So, why filter anything in this
>case? It's wasted bandwidth/processing power.

I was agreeing with Eric's point.  I've been saying this for years.  My 
comment about the packet filter was to deal with services that are 
needed for some internal purposes, but for some reason can't protect 
themselves.  Right now, that's snmp -- you may have snmpd running on 
your mail server, but given the recent CERT advisory you need to keep 
the bad guys away from it.  (Yes, you should install fixed code -- but 
given how many components were affected by that advisory, it's quite 
obvious that no one has had time to test the fixes properly.)

		--Steve Bellovin,
		Full text of "Firewalls" book now at