North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Firewall opinions wanted please

  • From: bill
  • Date: Wed Mar 17 13:00:07 2004

> 
> 
> On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of:
> > > > The best option I guess is to figure out how important it is for you to have a firewall, 
> > > 
> > > _Everyone_ (network connected) should have a firewall.  My grandma should 
> > > have a firewall.  Nicole, holding dominion over this business network and 
> > > its critical infrastructure, should _definitely_ have a firewall.  ;)
> > > 
> > 	Why?  When did the end2end nature of the Internet suddenly
> > 	sprout these mutant bits of extra complexity that reduce
> > 	the overall security of the 'net?  
> > 
> > 	Two questions asked, Two answers are sufficent.
> 
> Nope.  One will do it.  The day the first remote exploit or condition, 
> in protocol or application, that could potentially have given rise to such
> and exploit made it possible for a user not in your control to gain control 
> of your box(en), firewalling became necessary.  

	Ah, so back in 1979.  Three (well two and a half, roughly)
	decades between making fundamental design choices on how 
	protocols vs folks trying to do the right thing in the wrong
	place.

> Then Internet is not exactly 
> end-to-end beyond pure fundamentals; it's more end-to-many-ends.  And the 
> notion of "end-to-end" requires preservation of a connection between 2 
> consenting hosts, and preservation includes securement of that connection 
> against destructive mechanisms, which includes the subversive techniques and 
> intercetptions commonly associated with network security.  

	Here we have some disagreement.  Network Security is protecting
	the infrastructures ability to deliver bits and has nothing to
	do w/ end systems per se.

> Firewalls are logical interventions, costing as little as some processor
> overhead.  Dedicated appliances are only one deployment.  Filters on 
> routers also qualify as firewalls.  Am I correct in understanding that you
> feel edge filtering is mutant lunacy and unnecessary complexity?

	Please include the OPEX costs. And you have ignored the 
	IAB plea for having filtering done as a temporary expdient
	as a way to encourage new application/feature development.
	And yes, the need to perform edge filtering is symtematic of
	a cultural problem. We have sociopaths in the community that
	drive normally sane people to do perverse things.

	So yes, mutant lunacy and unDESIRABLE complexity.

> Regarding dedicated firewalls, please see Mr. Bellovin's previous post 
> regarding appropriate and competent administration.  The lack thereof 
> presents the complication, not the countermeasure itself.

	Amen.  See above.  From a systems perspective, adding yet
	one more level of management/administration decreases the
	efficentcy and robustness of the overall system.  From a
	"security" perspective, another attack point!

> As for your assertion that firewalls "reduce the overall security of the 
> 'net."...can you please elaborate on that, as well?  Other factions might/do
> argue that it's the other team refusing to lock their doors at night that
> are perpetuating the flux of bad behavior as a close second to the ignorant
> and infected.

	See above.
> 
> --ra
> 
> -- 
> k. rachael treu, CISSP       [email protected]
> ..quis costodiet ipsos custodes?..
> > 
> > --bill
> 
>