|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Telco's write best practices for packet switching networks
In message <[email protected]>, Sean Donelan writes: > >My comment was originally prompted by the meeting minutes which >reported on the survey data showing that 100% of carriers are implementing >firewalls in their gateways. The 100% is what caught my eye. As the >topic comes up in various places, large ISPs repeatedly say they are >unable to implement filters or packet screening on their high-speed >links such as at peering points. So the self-reported 100% implementation >of screening and filtering firewalls at gateways didn't seem to jive >with my understanding of the limitations faced by large ISPs. Yup. > >Firewalls can be a useful tool in the security engineer's toolbox. But >they get misused a lot. I don't believe security engineers are better >programmers. If there was a class of programmers in the world that didn't >make mistakes, I would hire them to write the applications. When the >firewall is more complex than the application server it is "protecting" >which is likely to have more mistakes? > Yes and no. I don't think that security programmers are any better than application programmers. But they might be trained differently. For example, I suspect that most application programmers have never heard of format string vulnerabilities. I would hope that most security professionals have. But you're absolutely right about the complexity of many of today's firewalls -- I've been complaining about that for years. --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com |