I don't need no stinking firewall!
Warren Kumari
warren at kumari.net
Thu Jan 14 05:37:04 UTC 2010
On Jan 10, 2010, at 1:32 AM, Dobbins, Roland wrote:
>
> On Jan 10, 2010, at 1:22 PM, harbor235 wrote:
>
>> Again, a firewall has it's place just like any other device in the
>> network, defense in >>> depth is a prudent philosophy to reduce the
>> chances of compromise, it does not >>>eliminate it nor does any
>> architecture you can think of, period
>
Bah, I was trying not to get sucked into the roaring vortex of this
thread, but I think that folks are ignoring one of the primary
benefits of firewalls:
Quite simply, its this:
I can now place a checkbox in the "Is there a firewall?" column of the
<insert random acronym here> audit.
While it may be fun to rail against the stupidity, after the Nth time
that you have had the "This is in no way going to help improves
security and will actually decrease it" argument, you realize that, if
you want to get real work done, you need to choose your battles.
In may cases the auditor knows that the firewall may not make thing
better, and may make them worse, but he has a set of guidelines that
the contracting company he is working for dictates, and he needs to
see the widget to sign on the dotted line. I have had auditors
cheerfully point out that the way that their specific requirement is
worded, a commodity CPE device plugged into port somewhere will fully
satisfy their requirements and did I know that BestBuy has them on
sale this week?
W
> What a ridiculous statement - of course it does.
>
> *The place of the stateful firewall is in front of clients, not
> servers*.
>
> I'm not going to continue the unequal contest of pitting real-world
> operational experience against Confused Information Systems Security
> Professional brainwashing. One can spout all the buzzwords and
> catchphrases one wishes, but at the end of the day, it's all dead
> wrong - and anyone naive enough to fall for it is setting himself up
> for a world of hurt.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> Injustice is relatively easy to bear; what stings is justice.
>
> -- H.L. Mencken
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2173 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20100114/cbf0768e/attachment.bin>
More information about the NANOG
mailing list