ACLs vs. full firewalls

Steven M. Bellovin smb at cs.columbia.edu
Tue Apr 7 23:38:10 UTC 2009


On Wed, 08 Apr 2009 09:20:34 +1000
Karl Auer <kauer at biplane.com.au> wrote:

> On Wed, 2009-04-08 at 10:46 +1200, Nathan Ward wrote:
> > > I'd be interested to hear why people use firewalls.
> 
> > End hosts are not always trustworthy.
> > 
> > If a host is compromised, should it be able to send anything and  
> > everything out to the public network?
> 
> A packet filter looks at the "top surface" of the packet, and
> processes the packet accordingly - based on things like the protocol,
> the source address, the destination address, the TCP flags and so on.
> 
> A firewall, on the other hand, makes decisions based on knowledge
> about the data being carried.
> 
> I.e., firewall != packet filter; my question related to firewalls.
> 
A packet filter is often part of a firewall, though it's usually not a
complete solution.  However, I'd disagree with your blanket assertion.
A better way to phrase it is that a firewall at a given level cannot
protect against attacks at a different level.  Packet filters don't
block SMTP weirdness or filter Evilscript from web pages; web proxies
don't guard against, say, ACK scans.  It's like it says on the tube of
toothpaste: a packet filter (or for that matter, a firewall) is an
effective security device if used as part of a program of good network
hygiene and regular professional care.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb




More information about the NANOG mailing list