ACLs vs. full firewalls
Steven M. Bellovin
smb at cs.columbia.edu
Tue Apr 7 23:38:10 UTC 2009
On Wed, 08 Apr 2009 09:20:34 +1000
Karl Auer <kauer at biplane.com.au> wrote:
> On Wed, 2009-04-08 at 10:46 +1200, Nathan Ward wrote:
> > > I'd be interested to hear why people use firewalls.
>
> > End hosts are not always trustworthy.
> >
> > If a host is compromised, should it be able to send anything and
> > everything out to the public network?
>
> A packet filter looks at the "top surface" of the packet, and
> processes the packet accordingly - based on things like the protocol,
> the source address, the destination address, the TCP flags and so on.
>
> A firewall, on the other hand, makes decisions based on knowledge
> about the data being carried.
>
> I.e., firewall != packet filter; my question related to firewalls.
>
A packet filter is often part of a firewall, though it's usually not a
complete solution. However, I'd disagree with your blanket assertion.
A better way to phrase it is that a firewall at a given level cannot
protect against attacks at a different level. Packet filters don't
block SMTP weirdness or filter Evilscript from web pages; web proxies
don't guard against, say, ACK scans. It's like it says on the tube of
toothpaste: a packet filter (or for that matter, a firewall) is an
effective security device if used as part of a program of good network
hygiene and regular professional care.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list