I don't need no stinking firewall!

Bruce Curtis bruce.curtis at ndsu.edu
Tue Jan 12 17:13:30 CST 2010


On Jan 6, 2010, at 3:56 PM, Brian Johnson wrote:

>> -----Original Message-----
>> From: Brian Keefer [mailto:chort at smtps.net]
>> Sent: Wednesday, January 06, 2010 3:12 PM
>> To: Brian Johnson
>> Cc: NANOG list
>> Subject: Re: I don't need no stinking firewall!
> 
> <SNIP>

<SNIP>

>> 
>> IMO you're better off making sure only the services you intend to
>> provide are listening, and that those services are hardened
>> appropriately for public exposure.
> 
> OK. This is obvious to anyone with experience in these things. But I
> also believe in a layered approach. It never hurts to add more layers to
> prevent human error or even internal breaches as the different systems
> are under the control of different equipment (servers, routers,
> switches, security devices). It's like two supports holding up something
> without knowing if the other one is doing its job. Both need to pull the
> full weight in case the other fails.


  I disagree.  "Never" is pretty absolute.  If that were true there would be no limit to the number of layers.

  Realistically I have experienced the harm from having firewalls in the network path.

  I have witnessed too many video sessions that either couldn't be started or had the sessions dropped prematurely because of firewalls.

  When the worms were infecting machines a couple of years ago our network was robust and stable and I identified and blocked infected machines quickly.  Other universities shut down their residence halls or large portions of their network because their firewalls rolled over and died otherwise from all of the scanning from inside their network.  
  I have talked to universities who consider the firewall the canary of the network world, its the first box in the network to cease functioning when there is a problem.

  Others have already mentioned the troubleshooting nightmares that firewalls generate, I would consider that a harm also.

---
Bruce Curtis                         bruce.curtis at ndsu.edu
Certified NetAnalyst II                701-231-8527
North Dakota State University        





More information about the NANOG mailing list