Firewall opinions wanted please
Rachael Treu
rara at navigo.com
Wed Mar 17 20:50:31 UTC 2004
Guys...firewall is as generic a term as any. Saying grandma needs a
router does not mean that an M20 is interchangeable with her Linksys.
The definition of firewall[1]:
1. A fireproof wall used as a barrier to prevent the spread of fire.
2. Computer Science. Any of a number of security schemes that prevent unauthorized users from gaining access to a computer network or that monitor transfers of information to and from the network.
By that rationale, firewall includes ACLs, filtering, and the umpteen
built-in apps that ship standard with home CPE/routers that _call
themselves_ firewall software.
I am absolutely talking access control. Not about an HA Netscreen500
pair with VRRP off redundant switch fabric and H.323 support.
As for your cost commentary, you are absolutely right. I said grandma
needs a firewall, not that she has one or will buy one. That is the
unfortunate disparity between prudence and practical application.
--ra
[1]http://dictionary.reference.com/search?q=firewall
--
k. rachael treu, CISSP rara at navigo.com
..quis costodiet ipsos custodes?..
On Wed, Mar 17, 2004 at 11:19:54AM -0800, Alexei Roudnev said something to the effect of:
> Not _firewalling_, but access limitation. Grandma can live with PNAT
> router - she do not need any firewall, if she do not grant external access
> to anything. She can live with Windows _default deny_ setting. If grandma
> have extra money, it is better to purchase anty-virus.
>
> Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest
> into security (bad thing for us, I know!) - because she lost '$0' in case
> of intrusion... It explains shidespread of modern viruses, spam-trojans etc
> (they cost '$0' to infected households in many cases).
>
> It is as Wireless access - my friend have secured access point, but when I
> tried, I could use unsecured access points of 2 his neighbourths.
> They know abouth insecurity - but they do not lost anything, so they do not
> want to spend $0.01 to improve it. And unfortunately, I can not blame them.
>
>
> >
> > On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the
> effect of:
> > > > > The best option I guess is to figure out how important it is for you
> to have a firewall,
> > > >
> > > > _Everyone_ (network connected) should have a firewall. My grandma
> should
> > > > have a firewall. Nicole, holding dominion over this business network
> and
> > > > its critical infrastructure, should _definitely_ have a firewall. ;)
> > > >
> > > Why? When did the end2end nature of the Internet suddenly
> > > sprout these mutant bits of extra complexity that reduce
> > > the overall security of the 'net?
> > >
> > > Two questions asked, Two answers are sufficent.
> >
> > Nope. One will do it. The day the first remote exploit or condition,
> > in protocol or application, that could potentially have given rise to such
> > and exploit made it possible for a user not in your control to gain
> control
> > of your box(en), firewalling became necessary. Then Internet is not
> exactly
> > end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the
> > notion of "end-to-end" requires preservation of a connection between 2
> > consenting hosts, and preservation includes securement of that connection
> > against destructive mechanisms, which includes the subversive techniques
> and
> > intercetptions commonly associated with network security.
> >
> > Denial of Service is as much a threat to availability and network
> > functionality as is power outage if it occurs. Before this turns to a
> "you
> > security freaks want to screw around with my network and don't care about
> > availability..."
> >
> > Firewalls are logical interventions, costing as little as some processor
> > overhead. Dedicated appliances are only one deployment. Filters on
> > routers also qualify as firewalls. Am I correct in understanding that you
> > feel edge filtering is mutant lunacy and unnecessary complexity?
> >
> > Regarding dedicated firewalls, please see Mr. Bellovin's previous post
> > regarding appropriate and competent administration. The lack thereof
> > presents the complication, not the countermeasure itself.
> >
> > As for your assertion that firewalls "reduce the overall security of the
> > 'net."...can you please elaborate on that, as well? Other factions
> might/do
> > argue that it's the other team refusing to lock their doors at night that
> > are perpetuating the flux of bad behavior as a close second to the
> ignorant
> > and infected.
> >
> > --ra
> >
> > --
> > k. rachael treu, CISSP rara at navigo.com
> > ..quis costodiet ipsos custodes?..
> > >
> > > --bill
> >
> >
More information about the NANOG
mailing list