Firewall opinions wanted please

bill bmanning at karoshi.com
Wed Mar 17 23:01:50 UTC 2004


> "the primary purpose of a firewall is to keep the bad 
> guys away from the buggy code.  Firewalls are the networks' response to 
> the host security problem."

	a pretty good sound bite. :)

> Add to that that you don't really know what's 
> safe or unsafe, and that you have some services that are convenient for 
> insiders but don't have adequate, scalable authentication on which you 
> can build an authorization mechanism, and you see why firewalls are 
> useful.
> 
> Perfect?   No, of course not.  A good idea?  Absolutely.  

	Er... perhaps.

	Who is configuring the "firewall"? What are its capabilities?
	How easy will it be to deploy new services?  I, as an enduser,
	am abdicating most of my responsibility to or it is being hijacked
	by one or more network service providers.   Ken is right.

	Firewalls, in general, seem to be a great place for blackhats
	to focus on.  DoS is trivial, the degenerate case is encaps
	of everything into stuff that passes through the firewall
	(IP over port 80), and then we've just pushed the problem
	elsewhere, adding more complexity to the system for little
	if any improvment in the overall integrity.  Sounds like
	the result is a system that is more fragile. 

> 		--Steve Bellovin, http://www.research.att.com/~smb

--bill (cynic)

	Noting that the nanog thread of the day has changed, but 
	not n'cessly for the better. :)




More information about the NANOG mailing list