Firewall opinions wanted please
Steven M. Bellovin
smb at research.att.com
Wed Mar 17 20:37:32 UTC 2004
In message <4058AEF2.2060109 at he.iki.fi>, Petri Helenius writes:
>
>>
>No, the applications should accept only authorized connections. If that
>would be the case, there would be no need to filter at packet level.
>
No. Quite apart from the fact that you mean "authorized", not
"authenticated", the primary purpose of a firewall is to keep the bad
guys away from the buggy code. Firewalls are the networks' response to
the host security problem.
Put in a NANOG0-friendly way, they're a scalable security mechanism
that can *help* defend you. Think of the endorsement on most tubes of
(American) toothpaste:
... has been shown to be an effective decay-preventive
dentifrice that can be of significant value when used as directed
in a conscientiously applied program of oral hygiene and
regular professional care.
If all you want to do is say "no" to all incoming connections on a
single machine, you don't need a separate box labeled "firewall"
-- assuming, of course, that your host is properly configured. Most
systems aren't configured that way; worse yet, it takes a lot of
knowledge to understand how to block things, and when it's ok to do so.
(It's an amusing exercise to run ZoneAlarm on a new, out-of-the box
Windows machine and see how many different programs think they need to
talk to the network, or (worse yet) act as servers.) But it's a lot of
work to configure a machine to be that safe, and if you have a hundred
or a thousand of them you can't do it; entropy will open up new holes
-- that is, open up new sockets for buggy applications -- faster than
you can close them down. Add to that that you don't really know what's
safe or unsafe, and that you have some services that are convenient for
insiders but don't have adequate, scalable authentication on which you
can build an authorization mechanism, and you see why firewalls are
useful.
Perfect? No, of course not. A good idea? Absolutely.
--Steve Bellovin, http://www.research.att.com/~smb
More information about the NANOG
mailing list