Firewall opinions wanted please
Alexei Roudnev
alex at relcom.net
Wed Mar 17 19:19:54 UTC 2004
Not _firewalling_, but access limitation. Grandma can live with PNAT
router - she do not need any firewall, if she do not grant external access
to anything. She can live with Windows _default deny_ setting. If grandma
have extra money, it is better to purchase anty-virus.
Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest
into security (bad thing for us, I know!) - because she lost '$0' in case
of intrusion... It explains shidespread of modern viruses, spam-trojans etc
(they cost '$0' to infected households in many cases).
It is as Wireless access - my friend have secured access point, but when I
tried, I could use unsecured access points of 2 his neighbourths.
They know abouth insecurity - but they do not lost anything, so they do not
want to spend $0.01 to improve it. And unfortunately, I can not blame them.
>
> On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the
effect of:
> > > > The best option I guess is to figure out how important it is for you
to have a firewall,
> > >
> > > _Everyone_ (network connected) should have a firewall. My grandma
should
> > > have a firewall. Nicole, holding dominion over this business network
and
> > > its critical infrastructure, should _definitely_ have a firewall. ;)
> > >
> > Why? When did the end2end nature of the Internet suddenly
> > sprout these mutant bits of extra complexity that reduce
> > the overall security of the 'net?
> >
> > Two questions asked, Two answers are sufficent.
>
> Nope. One will do it. The day the first remote exploit or condition,
> in protocol or application, that could potentially have given rise to such
> and exploit made it possible for a user not in your control to gain
control
> of your box(en), firewalling became necessary. Then Internet is not
exactly
> end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the
> notion of "end-to-end" requires preservation of a connection between 2
> consenting hosts, and preservation includes securement of that connection
> against destructive mechanisms, which includes the subversive techniques
and
> intercetptions commonly associated with network security.
>
> Denial of Service is as much a threat to availability and network
> functionality as is power outage if it occurs. Before this turns to a
"you
> security freaks want to screw around with my network and don't care about
> availability..."
>
> Firewalls are logical interventions, costing as little as some processor
> overhead. Dedicated appliances are only one deployment. Filters on
> routers also qualify as firewalls. Am I correct in understanding that you
> feel edge filtering is mutant lunacy and unnecessary complexity?
>
> Regarding dedicated firewalls, please see Mr. Bellovin's previous post
> regarding appropriate and competent administration. The lack thereof
> presents the complication, not the countermeasure itself.
>
> As for your assertion that firewalls "reduce the overall security of the
> 'net."...can you please elaborate on that, as well? Other factions
might/do
> argue that it's the other team refusing to lock their doors at night that
> are perpetuating the flux of bad behavior as a close second to the
ignorant
> and infected.
>
> --ra
>
> --
> k. rachael treu, CISSP rara at navigo.com
> ..quis costodiet ipsos custodes?..
> >
> > --bill
>
>
More information about the NANOG
mailing list