I don't need no stinking firewall!

Kevin Oberman oberman at es.net
Wed Jan 6 00:55:41 UTC 2010

> From: Jared Mauch <jared at puck.nether.net>
> Date: Tue, 5 Jan 2010 16:20:56 -0500
> On Jan 5, 2010, at 3:58 PM, Brielle Bruns wrote:
> > It's all how you configure and tweak the firewall.  Recommending people run servers without a firewall is bad advice - do you really want your Win2k3 server exposed, SMB, RPC, and all to the world?
> Some people think that exposing any functionality by default such as that is a poor security practice :)
> My biggest issue is that people think that Firewalls, AV, etc  are a catch-all for any network/user/security badness.  The real world is more complex than that.
> Most people make poor security choices and this creates much larger issues.
> "I thought the firewall would protect me".
> "I thought my IPS would protect me"
> "I thought my AV would protect me"
> Most of these technologies create a truly false sense of security.
> I'm once again reminded of many people who do technically "silly"
> things like block TCP/53, packets over 512 bytes, port 587, ssl imap
> ports, etc.
> It's frustrating and sad because it's not an effective security
> strategy and frustrates grumpy old-school users as myself that used
> odi drivers w/ ka9q to multitask over our CSLIP networks.

I suspect at least part of this will soon get fixed due to DNSSEC.
Blocking tcp/53 and packets over 512 bytes will cause user complaints
and, after enough education, the problem will get fixed.

I had a problem with a large US government site due to tcp/53 blocking
and had no luck getting it fixed. The "Security Officer" informed me
that tcp/53 was only ever needed for zone transfer and any other use was
clear evidence of abuse. RFCs meant nothing to him. (I don't know if he
knew what an RFC was.)

Now that gov domains are mandated to be signed, seems like he learned that
tcp/53 could be used for normal operations.

"You can get more with a kind word and a two-by-four than you can with
just a kind word." 
                                         J. Michael Straczynski from
					 Ceremonies of Light and Dark
					 Babylon 5
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

More information about the NANOG mailing list