I don't need no stinking firewall!

Kenny Sallee kenny.sallee at gmail.com
Tue Jan 5 16:45:54 CST 2010


On Tue, Jan 5, 2010 at 12:16 PM, Brian Johnson <bjohnson at drtel.com> wrote:

> Security Gurus, et al,
>
> I have my own idea of what a firewall is and what it does. I also
> understand what statefull packet inspection is and what it does. Given
> this information, and not prejudging any responses, exactly what is a
> firewall for and when is statefull inspection useful?
>
> Please respond on-list as I want to have some useful discourse and
> discussion in the clear. Flamers and Trolls will be disregarded. :)
>
> Thank you.
>
>  - Brian
>
>
>
To me - a firewall is just another layer of security to help protect
company/personal assets.  Firewalls, AV, IPS, OS patches, physical security,
educated users etc. etc...all play a part in protecting what you own and
what you data you have from 'bad guys'.  Where to place firewalls depends on
what you are protecting.  If regular humans (ie consumers) stateful packet
firewalls are smart (although NAT does provide a level of security - and I
know there will be arguments against that).  If business assets - it depends
on scale and traffic.  If you have a small to medium business with a T1 - a
smart network engineer can us ACL's to protect your assets but stateful
firewalls are fairly cheap so why not use them?  If you are running gigabits
worth of traffic then a stateful firewall is a bad thing but layered
protection is still important.  DDOS defenses of some form is part of that
layered protection (scale to handle DDOS, work w/ upstream providers etc..)
.  So I guess my answer is - it just depends on the business, traffic
patterns, $$, and skill sets of the engineers or consultants you hire.  But
I do agree - firewalling or protection of assets is a necessity no matter
what your size or scale from a practical and most likely regulatory
perspective.

So now I get to rant - becuase I think that 'security guru's' are
one-tracked minded.  Often times - in larger organizations the executives
are the largest FUD mongers.  This lead to hiring a 'Security Guru'.  The
'Security Guru' convinces said executives that the sky is falling.
 Executives fear for their jobs and company assets and the next thing you
know - all innovation and flexibility is removed from the employee's in the
name of security.  It's a really bad thing.  Are most users bungholes that
require strict security policies - yes.  Are they all? No.  It's your job to
make sure the company is protected enough to continue innovation and making
money.  You have a tough job I'll give you that - and I wouldn't want it -
but you chose your path in life not me!  So make it work without stifling
the users you are trying to protect! </end_rant>

Kenny



More information about the NANOG mailing list