|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Firewall opinions wanted please
OK, I've tried to stay out of this, but... On Thu, 2004-03-18 at 01:17, Alexei Roudnev wrote: > > No. let's imagine, that I have 4 hosts, without ANY security problems in > software, Exactly how do you *prove* there are zero security problems with any of this software? I hate to say it, but a lot of the security issues we are faced with today is because people thought they could build secure software without worrying about a secure architecture. That's exactly what you are doing here. > Firewall protects other services from outside access. A good firewall *should* be doing a whole lot more than that. It should also be giving you a good level of detail about what crosses your perimeter. It should also be doing some level of content checking to protect the servers behind it. It should also be stopping and alerting you if that Web server one day tries to TFTP out to the Internet. Etc. etc. etc. > Second. Not ANY network require FireWall. If network (grandma) do not allow > any ACCESS fron Internet (grandma's netword do not allow access because it > does not expose any IP device to outside network, using NAT for outgoing > connections), it can live withourt any ACl and any firewall attributes <sarcasm> Absolutely, because who cares if someone drops a call home Trojan on Grandma's system (via e-mail or nasty URL) which turns the system into a spam relay or a DDoS zombie. That would *never* happen, right? </sarcasm> Oh wait, I seem to remember that both of these problems are discussed on at least a weekly basis in this forum. A firewall can't prevent the above attacks, but it can give you a heads up that they happened. > - and > be as secure as production network with expansive firewall(s). Dude, *please* don't take this as a slam, but you really need to come more up to speed on this technology. > Key word is _ACCESS_. No ACCESS - no FireWall (cut wires). Agreed, but in both of your examples were you say a firewall is not needed, you include some level of access. Now if you are going to cut the wires and ensure there are no 802.11 or dial-in access points, I'll agree so long as physical security is up to snuff. > One Way Access - > many different devices plays role of firewall (PNAT translator, for example, > makes 99.9% of the work). Hey has anyone tested this lately? I beat up on a number of NAT only firewalls about 3 years ago and found that approximately half could be defeated by simply using loose source routing. Has anyone tested the latest round up of products for this "functionality"? HTH, Chris
|