Re: Benefit of firewall over NAT-only 'protected' network

[Paul Robertson <proberts () patriot net>]

On Wed, 28 May 2003, Hugh Blandford wrote:

> Please take into consideration that if they had a firewall, it would be
> setup to allow all outbound traffic and let the 'responses' back in.  There

That's a silly and mostly specious pre-requisite.  For instance, most 
small office users have *no* need for IRC, and given that IRC is *the* 
major control vector for trojaned machines, why the heck would you allow it 
outbound from a small office?  Nuke 6667/tcp outbound and you decrease the 
chance of being owned rather significantly, and you break less than 1/2 of 
1% of SOHO users.  

You shouldn't choose "basically no security policy, now what firewall 
fits?" any more than "Here's a firewall, now what policy should it 
support?"

If we don't try to do better, things won't get better.

You need to look at the threats to such environments and then design 
protecitons to meet the real risks, not choose an arbitrary line in the 
sand then say "I'm going to defend this postion because it's not worth 
doing better."

What's the threat, what's the cost to protect against it, and what's the 
cost of not protecting- without a risk analysis, you're checking the 
security checkbox without doing security.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards