North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Firewall opinions wanted please

  • From: Rachael Treu
  • Date: Wed Mar 17 12:25:31 2004

On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of:
> > > The best option I guess is to figure out how important it is for you to have a firewall, 
> > 
> > _Everyone_ (network connected) should have a firewall.  My grandma should 
> > have a firewall.  Nicole, holding dominion over this business network and 
> > its critical infrastructure, should _definitely_ have a firewall.  ;)
> > 
> 	Why?  When did the end2end nature of the Internet suddenly
> 	sprout these mutant bits of extra complexity that reduce
> 	the overall security of the 'net?  
> 
> 	Two questions asked, Two answers are sufficent.

Nope.  One will do it.  The day the first remote exploit or condition, 
in protocol or application, that could potentially have given rise to such
and exploit made it possible for a user not in your control to gain control 
of your box(en), firewalling became necessary.  Then Internet is not exactly 
end-to-end beyond pure fundamentals; it's more end-to-many-ends.  And the 
notion of "end-to-end" requires preservation of a connection between 2 
consenting hosts, and preservation includes securement of that connection 
against destructive mechanisms, which includes the subversive techniques and 
intercetptions commonly associated with network security.  

Denial of Service is as much a threat to availability and network 
functionality as is power outage if it occurs.  Before this turns to a "you 
security freaks want to screw around with my network and don't care about 
availability..."

Firewalls are logical interventions, costing as little as some processor
overhead.  Dedicated appliances are only one deployment.  Filters on 
routers also qualify as firewalls.  Am I correct in understanding that you
feel edge filtering is mutant lunacy and unnecessary complexity?

Regarding dedicated firewalls, please see Mr. Bellovin's previous post 
regarding appropriate and competent administration.  The lack thereof 
presents the complication, not the countermeasure itself.

As for your assertion that firewalls "reduce the overall security of the 
'net."...can you please elaborate on that, as well?  Other factions might/do
argue that it's the other team refusing to lock their doors at night that
are perpetuating the flux of bad behavior as a close second to the ignorant
and infected.

--ra

-- 
k. rachael treu, CISSP       [email protected]
..quis costodiet ipsos custodes?..
> 
> --bill