I don't need no stinking firewall!

Michael K. Smith mksmith at adhost.com
Sun Jan 10 19:03:11 CST 2010



On 1/9/10 10:32 PM, "Dobbins, Roland" <rdobbins at arbor.net> wrote:

> 
> On Jan 10, 2010, at 1:22 PM, harbor235 wrote:
> 
>> Again, a firewall has it's place just like any other device in the network,
>> defense in >>> depth is a prudent philosophy to reduce the chances of
>> compromise, it does not >>>eliminate it nor does any architecture you can
>> think of, period
> 
> What a ridiculous statement - of course it does.
> 
> *The place of the stateful firewall is in front of clients, not servers*.
> 
> I'm not going to continue the unequal contest of pitting real-world
> operational experience against Confused Information Systems Security
> Professional brainwashing.  One can spout all the buzzwords and catchphrases
> one wishes, but at the end of the day, it's all dead wrong - and anyone naive
> enough to fall for it is setting himself up for a world of hurt.
> 

I certainly understand and agree with your position, in most cases, but
there are some instances when a firewall serves an excellent purpose.  As an
example, we manage hundreds of heterogeneous servers where customers also
have administrative access to the devices.  As such, we can never be sure
they haven't changed something that can negatively impact the security of
the server or servers.

However, since the firewall is a magic box  they don't want anything to do
with it.  This means that I can keep a server fairly secure from extraneous
cruft and have a demarcation point into and out of the customer's
environment that I control.

I understand this does nothing for SQL injection, XSS, and other
application-layer mischief, but it does wonders for keeping all the other
stuff blocked, even when an customer "admin" says "why do I need Windows
Firewall?"

I wish I had a perfect world where I had a homogenous server environment
that I controlled all the way through the stack with only one Management
Layer to deal with.  But, I'm glad I don't because these customers pay my
salary.

Regards,

Mike





More information about the NANOG mailing list