North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Firewall opinions wanted please
Guys...firewall is as generic a term as any. Saying grandma needs a router does not mean that an M20 is interchangeable with her Linksys. The definition of firewall[1]: 1. A fireproof wall used as a barrier to prevent the spread of fire. 2. Computer Science. Any of a number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitor transfers of information to and from the network. By that rationale, firewall includes ACLs, filtering, and the umpteen built-in apps that ship standard with home CPE/routers that _call themselves_ firewall software. I am absolutely talking access control. Not about an HA Netscreen500 pair with VRRP off redundant switch fabric and H.323 support. As for your cost commentary, you are absolutely right. I said grandma needs a firewall, not that she has one or will buy one. That is the unfortunate disparity between prudence and practical application. --ra [1]http://dictionary.reference.com/search?q=firewall -- k. rachael treu, CISSP [email protected] ..quis costodiet ipsos custodes?.. On Wed, Mar 17, 2004 at 11:19:54AM -0800, Alexei Roudnev said something to the effect of: > Not _firewalling_, but access limitation. Grandma can live with PNAT > router - she do not need any firewall, if she do not grant external access > to anything. She can live with Windows _default deny_ setting. If grandma > have extra money, it is better to purchase anty-virus. > > Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest > into security (bad thing for us, I know!) - because she lost '$0' in case > of intrusion... It explains shidespread of modern viruses, spam-trojans etc > (they cost '$0' to infected households in many cases). > > It is as Wireless access - my friend have secured access point, but when I > tried, I could use unsecured access points of 2 his neighbourths. > They know abouth insecurity - but they do not lost anything, so they do not > want to spend $0.01 to improve it. And unfortunately, I can not blame them. > > > > > > On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the > effect of: > > > > > The best option I guess is to figure out how important it is for you > to have a firewall, > > > > > > > > _Everyone_ (network connected) should have a firewall. My grandma > should > > > > have a firewall. Nicole, holding dominion over this business network > and > > > > its critical infrastructure, should _definitely_ have a firewall. ;) > > > > > > > Why? When did the end2end nature of the Internet suddenly > > > sprout these mutant bits of extra complexity that reduce > > > the overall security of the 'net? > > > > > > Two questions asked, Two answers are sufficent. > > > > Nope. One will do it. The day the first remote exploit or condition, > > in protocol or application, that could potentially have given rise to such > > and exploit made it possible for a user not in your control to gain > control > > of your box(en), firewalling became necessary. Then Internet is not > exactly > > end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the > > notion of "end-to-end" requires preservation of a connection between 2 > > consenting hosts, and preservation includes securement of that connection > > against destructive mechanisms, which includes the subversive techniques > and > > intercetptions commonly associated with network security. > > > > Denial of Service is as much a threat to availability and network > > functionality as is power outage if it occurs. Before this turns to a > "you > > security freaks want to screw around with my network and don't care about > > availability..." > > > > Firewalls are logical interventions, costing as little as some processor > > overhead. Dedicated appliances are only one deployment. Filters on > > routers also qualify as firewalls. Am I correct in understanding that you > > feel edge filtering is mutant lunacy and unnecessary complexity? > > > > Regarding dedicated firewalls, please see Mr. Bellovin's previous post > > regarding appropriate and competent administration. The lack thereof > > presents the complication, not the countermeasure itself. > > > > As for your assertion that firewalls "reduce the overall security of the > > 'net."...can you please elaborate on that, as well? Other factions > might/do > > argue that it's the other team refusing to lock their doors at night that > > are perpetuating the flux of bad behavior as a close second to the > ignorant > > and infected. > > > > --ra > > > > -- > > k. rachael treu, CISSP [email protected] > > ..quis costodiet ipsos custodes?.. > > > > > > --bill > > > >
|