Firewall opinions wanted please
Steven M. Bellovin
smb at research.att.com
Thu Mar 18 00:28:57 UTC 2004
In message <200403172301.i2HN1o920765 at karoshi.com>, bill writes:
>> "the primary purpose of a firewall is to keep the bad
>> guys away from the buggy code. Firewalls are the networks' response to
>> the host security problem."
>
> a pretty good sound bite. :)
Thanks -- I've been using that line for about 10 years, and I haven't gotten
tired of it yet....
>
>> Add to that that you don't really know what's
>> safe or unsafe, and that you have some services that are convenient for
>> insiders but don't have adequate, scalable authentication on which you
>> can build an authorization mechanism, and you see why firewalls are
>> useful.
>>
>> Perfect? No, of course not. A good idea? Absolutely.
>
> Er... perhaps.
>
> Who is configuring the "firewall"? What are its capabilities?
> How easy will it be to deploy new services? I, as an enduser,
> am abdicating most of my responsibility to or it is being hijacked
> by one or more network service providers. Ken is right.
I don't have time to participate in this thread any more tonight --
tomorrow is the biweekly IESG call, and I still have several documents
to review -- but I never said that ISPs should implement firewalls. In
fact, in general that's a bad idea. Firewalls are the instantiation of
a security policy; I don't want my ISP telling me what my security policy
is or should be.
To be sure, there is a market for a value-added ISP service that
provides assorted types of filtering. But that's the sort of thing
that's best done by consenting adults. More later....
--Steve Bellovin, http://www.research.att.com/~smb
More information about the NANOG
mailing list