North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Firewall opinions wanted please

  • From: Steven M. Bellovin
  • Date: Wed Mar 17 19:31:11 2004

In message <[email protected]>, bill writes:
>> "the primary purpose of a firewall is to keep the bad 
>> guys away from the buggy code.  Firewalls are the networks' response to 
>> the host security problem."
>
>	a pretty good sound bite. :)

Thanks -- I've been using that line for about 10 years, and I haven't gotten 
tired of it yet....
>
>> Add to that that you don't really know what's 
>> safe or unsafe, and that you have some services that are convenient for 
>> insiders but don't have adequate, scalable authentication on which you 
>> can build an authorization mechanism, and you see why firewalls are 
>> useful.
>> 
>> Perfect?   No, of course not.  A good idea?  Absolutely.  
>
>	Er... perhaps.
>
>	Who is configuring the "firewall"? What are its capabilities?
>	How easy will it be to deploy new services?  I, as an enduser,
>	am abdicating most of my responsibility to or it is being hijacked
>	by one or more network service providers.   Ken is right.

I don't have time to participate in this thread any more tonight -- 
tomorrow is the biweekly IESG call, and I still have several documents 
to review -- but I never said that ISPs should implement firewalls.  In 
fact, in general that's a bad idea.  Firewalls are the instantiation of 
a security policy; I don't want my ISP telling me what my security policy
is or should be.  

To be sure, there is a market for a value-added ISP service that 
provides assorted types of filtering.  But that's the sort of thing 
that's best done by consenting adults.  More later....


		--Steve Bellovin, http://www.research.att.com/~smb