Re: Telco's write best practices for packet switching networks

[Ron da Silva <ron () aol net>]

On Wed, Mar 06, 2002 at 09:41:55AM -0500, Steven M. Bellovin wrote:
> In message <gu9ofi1rcwe.fsf () rampart argfrp us uu net>, Eric Brandwine writes:
>
> > Firewalls are good things for general purpose networks.  When you've
> > got a bunch of clueless employees, all using Windows shares, NFS, and
> > all sorts of nasty protocols, a firewall is best practice.  Rather
> > than educate every single one of them as to the security implications
> > of their actions, just insulate them, and do what you can behind the
> > firewall.
> >
> > When you've got a deployed server, run by clueful people, dedicated to
> > a single task, firewalls are not the way to go.  You've got a DNS
> > server.  What are you going to do with a firewall?  Permit tcp/53 and
> > udp/53 from the appropriate net blocks.  Where's the protection?  Turn
> > off unneeded services, chose a resilient and flame tested daemon, and
> > watch the patchlist for it.
>
> Precisely.  You *may* need a packet filter to block things like SNMP 
> (to name a recent case in point), but a general-purpose firewall is 
> generally the wrong solution for appliance computers.

Hmm...but certainly part of the right solution for a general "appliance"
network.

-ron