Telco's write best practices for packet switching networks

• Previous message (by thread): Telco's write best practices for packet switching networks
• Next message (by thread): Telco's write best practices for packet switching networks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In message <gu9ofi1rcwe.fsf at rampart.argfrp.us.uu.net>, Eric Brandwine writes:

>
>Firewalls are good things for general purpose networks.  When you've
>got a bunch of clueless employees, all using Windows shares, NFS, and
>all sorts of nasty protocols, a firewall is best practice.  Rather
>than educate every single one of them as to the security implications
>of their actions, just insulate them, and do what you can behind the
>firewall.
>
>When you've got a deployed server, run by clueful people, dedicated to
>a single task, firewalls are not the way to go.  You've got a DNS
>server.  What are you going to do with a firewall?  Permit tcp/53 and
>udp/53 from the appropriate net blocks.  Where's the protection?  Turn
>off unneeded services, chose a resilient and flame tested daemon, and
>watch the patchlist for it.

Precisely.  You *may* need a packet filter to block things like SNMP 
(to name a recent case in point), but a general-purpose firewall is 
generally the wrong solution for appliance computers.

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com

• Previous message (by thread): Telco's write best practices for packet switching networks
• Next message (by thread): Telco's write best practices for packet switching networks
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]