I don't need no stinking firewall!

Warren Kumari warren at kumari.net
Thu Jan 14 05:37:04 UTC 2010

On Jan 10, 2010, at 1:32 AM, Dobbins, Roland wrote:

> On Jan 10, 2010, at 1:22 PM, harbor235 wrote:
>> Again, a firewall has it's place just like any other device in the  
>> network, defense in >>> depth is a prudent philosophy to reduce the  
>> chances of compromise, it does not >>>eliminate it nor does any  
>> architecture you can think of, period

Bah, I was trying not to get sucked into the roaring vortex of this  
thread, but I think that folks are ignoring one of the primary  
benefits of firewalls:
Quite simply, its this:

I can now place a checkbox in the "Is there a firewall?" column of the  
<insert random acronym here> audit.

While it may be fun to rail against the stupidity, after the Nth time  
that you have had the "This is in no way going to help improves  
security and will actually decrease it" argument, you realize that, if  
you want to get real work done, you need to choose your battles.

In may cases the auditor knows that the firewall may not make thing  
better, and may make them worse, but he has a set of guidelines that  
the contracting company he is working for dictates, and he needs to  
see the widget to sign on the dotted line. I have had auditors  
cheerfully point out that the way that their specific requirement is  
worded, a commodity CPE device plugged into port somewhere will fully  
satisfy their requirements and did I know that BestBuy has them on  
sale this week?


> What a ridiculous statement - of course it does.
> *The place of the stateful firewall is in front of clients, not  
> servers*.
> I'm not going to continue the unequal contest of pitting real-world  
> operational experience against Confused Information Systems Security  
> Professional brainwashing.  One can spout all the buzzwords and  
> catchphrases one wishes, but at the end of the day, it's all dead  
> wrong - and anyone naive enough to fall for it is setting himself up  
> for a world of hurt.
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>    Injustice is relatively easy to bear; what stings is justice.
>                        -- H.L. Mencken

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2173 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100114/cbf0768e/attachment.bin>

More information about the NANOG mailing list