North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Firewall opinions wanted please
> > > On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of: > > > > The best option I guess is to figure out how important it is for you to have a firewall, > > > > > > _Everyone_ (network connected) should have a firewall. My grandma should > > > have a firewall. Nicole, holding dominion over this business network and > > > its critical infrastructure, should _definitely_ have a firewall. ;) > > > > > Why? When did the end2end nature of the Internet suddenly > > sprout these mutant bits of extra complexity that reduce > > the overall security of the 'net? > > > > Two questions asked, Two answers are sufficent. > > Nope. One will do it. The day the first remote exploit or condition, > in protocol or application, that could potentially have given rise to such > and exploit made it possible for a user not in your control to gain control > of your box(en), firewalling became necessary. Ah, so back in 1979. Three (well two and a half, roughly) decades between making fundamental design choices on how protocols vs folks trying to do the right thing in the wrong place. > Then Internet is not exactly > end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the > notion of "end-to-end" requires preservation of a connection between 2 > consenting hosts, and preservation includes securement of that connection > against destructive mechanisms, which includes the subversive techniques and > intercetptions commonly associated with network security. Here we have some disagreement. Network Security is protecting the infrastructures ability to deliver bits and has nothing to do w/ end systems per se. > Firewalls are logical interventions, costing as little as some processor > overhead. Dedicated appliances are only one deployment. Filters on > routers also qualify as firewalls. Am I correct in understanding that you > feel edge filtering is mutant lunacy and unnecessary complexity? Please include the OPEX costs. And you have ignored the IAB plea for having filtering done as a temporary expdient as a way to encourage new application/feature development. And yes, the need to perform edge filtering is symtematic of a cultural problem. We have sociopaths in the community that drive normally sane people to do perverse things. So yes, mutant lunacy and unDESIRABLE complexity. > Regarding dedicated firewalls, please see Mr. Bellovin's previous post > regarding appropriate and competent administration. The lack thereof > presents the complication, not the countermeasure itself. Amen. See above. From a systems perspective, adding yet one more level of management/administration decreases the efficentcy and robustness of the overall system. From a "security" perspective, another attack point! > As for your assertion that firewalls "reduce the overall security of the > 'net."...can you please elaborate on that, as well? Other factions might/do > argue that it's the other team refusing to lock their doors at night that > are perpetuating the flux of bad behavior as a close second to the ignorant > and infected. See above. > > --ra > > -- > k. rachael treu, CISSP [email protected] > ..quis costodiet ipsos custodes?.. > > > > --bill > >
|