Firewall Wizards mailing list archives
Re: Benefit of firewall over NAT-only 'protected' network
From: Paul Robertson <proberts () patriot net>
Date: Tue, 27 May 2003 22:50:28 -0400 (EDT)
On Wed, 28 May 2003, Hugh Blandford wrote:
Please take into consideration that if they had a firewall, it would be setup to allow all outbound traffic and let the 'responses' back in. There
That's a silly and mostly specious pre-requisite. For instance, most small office users have *no* need for IRC, and given that IRC is *the* major control vector for trojaned machines, why the heck would you allow it outbound from a small office? Nuke 6667/tcp outbound and you decrease the chance of being owned rather significantly, and you break less than 1/2 of 1% of SOHO users. You shouldn't choose "basically no security policy, now what firewall fits?" any more than "Here's a firewall, now what policy should it support?" If we don't try to do better, things won't get better. You need to look at the threats to such environments and then design protecitons to meet the real risks, not choose an arbitrary line in the sand then say "I'm going to defend this postion because it's not worth doing better." What's the threat, what's the cost to protect against it, and what's the cost of not protecting- without a risk analysis, you're checking the security checkbox without doing security. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Benefit of firewall over NAT-only 'protected' network Hugh Blandford (May 27)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 27)
- Re: Benefit of firewall over NAT-only 'protected' network Tina Bird (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Frank Knobbe (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Chuck Swiger (May 30)
- Re: Benefit of firewall over NAT-only 'protected' network Frank Knobbe (May 31)
- Re: Benefit of firewall over NAT-only 'protected' network Tina Bird (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 27)
- Re: Benefit of firewall over NAT-only 'protected' network Hugh Blandford (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network Bill Royds (May 30)
- Re: Benefit of firewall over NAT-only 'protected' network Paul Robertson (May 28)
- Re: Benefit of firewall over NAT-only 'protected' network ark (May 28)