Firewalls - Ease of Use and Maintenance?

• Previous message (by thread): Firewalls - Ease of Use and Maintenance?
• Next message (by thread): Firewalls - Ease of Use and Maintenance?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Wed, 09 Nov 2011 08:00:01 CST, Joe Greco said:
> > > On Wed, Nov 09, 2011 at 03:32:45PM +0300, Alex Nderitu wrote:
> > > > An important feature lacking for now as far as I know is content/web
> > > > filtering especially for corporates wishing to block
> > > > inappropriate/time wasting content like facebook. 
> 
> > > 1. That's not a firewall function.  That's a censorship function.
> 
> > Is it "censorship" not to want unwanted connection attempts to our
> > gear, and block unsolicited TCP connections inbound?
> 
> > Is it "censorship" not to want unwanted exploit attempts to our
> > gear, and run everything through ClamAV, and use blocklists to
> > prevent users inadvertently pulling content from known malware sites?
> 
> I do believe that Alex was saying "blocking outbound access to time wasters
> like Facebook" is a censorship function, not a firewall function.

Of course he was.

My point is that that's irrelevant. 

There are plenty of good policy reasons for wanting to block application 
layer stuff.  The statement Alex made appeared to characterize blocking 
facebook as a "bad policy".  As a result, one might infer that Alex's 
conclusion is that "firewalls shouldn't do this type of blocking."

The merits of policies such as "blocking facebook" are largely beyond
the scope of NANOG; I don't propose to debate that point.  There are
other forums to debate such censorship.

However, the point I made should be easily understood:  a firewall that
offers tools to prevent users from visiting a certain website (via URL,
let's say) is really not any different than a firewall that offers tools
to prevent users from visiting a certain website (via packet firewall
rules, let's say).  Do you really want your users connecting to websites
known to be operated by RBN, or virus infected stuff, or spyware?  The
difference between "we want to protect our gear against known harmful
sites" and "we want to block our employees from visiting dating sites"
is probably indistinguishable at a technical implementation level.

So, in clearer response to Alex: who cares?  That's not a NANOG issue.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

• Previous message (by thread): Firewalls - Ease of Use and Maintenance?
• Next message (by thread): Firewalls - Ease of Use and Maintenance?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]