North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Firewall opinions wanted please

  • From: Alexei Roudnev
  • Date: Wed Mar 17 14:26:02 2004

Not _firewalling_, but access limitation. Grandma can live with PNAT
router - she do not need any firewall, if she do not grant external access
to anything. She can live with Windows  _default deny_ setting.  If grandma
have extra money, it is better to purchase anty-virus.

Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest
into security (bad  thing for us, I know!) - because she lost '$0' in case
of intrusion... It explains shidespread of modern viruses, spam-trojans etc
(they cost '$0' to infected households in many cases).

It is as Wireless access - my friend have secured access point, but when I
tried, I could use unsecured access points of 2 his neighbourths.
They know abouth insecurity - but they do not lost anything, so they do not
want to spend $0.01 to improve it. And unfortunately, I can not blame them.


>
> On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the
effect of:
> > > > The best option I guess is to figure out how important it is for you
to have a firewall,
> > >
> > > _Everyone_ (network connected) should have a firewall.  My grandma
should
> > > have a firewall.  Nicole, holding dominion over this business network
and
> > > its critical infrastructure, should _definitely_ have a firewall.  ;)
> > >
> > Why?  When did the end2end nature of the Internet suddenly
> > sprout these mutant bits of extra complexity that reduce
> > the overall security of the 'net?
> >
> > Two questions asked, Two answers are sufficent.
>
> Nope.  One will do it.  The day the first remote exploit or condition,
> in protocol or application, that could potentially have given rise to such
> and exploit made it possible for a user not in your control to gain
control
> of your box(en), firewalling became necessary.  Then Internet is not
exactly
> end-to-end beyond pure fundamentals; it's more end-to-many-ends.  And the
> notion of "end-to-end" requires preservation of a connection between 2
> consenting hosts, and preservation includes securement of that connection
> against destructive mechanisms, which includes the subversive techniques
and
> intercetptions commonly associated with network security.
>
> Denial of Service is as much a threat to availability and network
> functionality as is power outage if it occurs.  Before this turns to a
"you
> security freaks want to screw around with my network and don't care about
> availability..."
>
> Firewalls are logical interventions, costing as little as some processor
> overhead.  Dedicated appliances are only one deployment.  Filters on
> routers also qualify as firewalls.  Am I correct in understanding that you
> feel edge filtering is mutant lunacy and unnecessary complexity?
>
> Regarding dedicated firewalls, please see Mr. Bellovin's previous post
> regarding appropriate and competent administration.  The lack thereof
> presents the complication, not the countermeasure itself.
>
> As for your assertion that firewalls "reduce the overall security of the
> 'net."...can you please elaborate on that, as well?  Other factions
might/do
> argue that it's the other team refusing to lock their doors at night that
> are perpetuating the flux of bad behavior as a close second to the
ignorant
> and infected.
>
> --ra
>
> -- 
> k. rachael treu, CISSP       [email protected]
> ..quis costodiet ipsos custodes?..
> >
> > --bill
>
>