nanog mailing list archives
Re: Telco's write best practices for packet switching networks
From: "Christopher L. Morrow" <chris () UU NET>
Date: Wed, 6 Mar 2002 15:04:00 +0000 (GMT)
On Wed, 6 Mar 2002, Ron da Silva wrote:
On Wed, Mar 06, 2002 at 09:41:55AM -0500, Steven M. Bellovin wrote:In message <gu9ofi1rcwe.fsf () rampart argfrp us uu net>, Eric Brandwine writes:Firewalls are good things for general purpose networks. When you've got a bunch of clueless employees, all using Windows shares, NFS, and all sorts of nasty protocols, a firewall is best practice. Rather than educate every single one of them as to the security implications of their actions, just insulate them, and do what you can behind the firewall. When you've got a deployed server, run by clueful people, dedicated to a single task, firewalls are not the way to go. You've got a DNS server. What are you going to do with a firewall? Permit tcp/53 and udp/53 from the appropriate net blocks. Where's the protection? Turn off unneeded services, chose a resilient and flame tested daemon, and watch the patchlist for it.Precisely. You *may* need a packet filter to block things like SNMP (to name a recent case in point), but a general-purpose firewall is generally the wrong solution for appliance computers.
There is no need to drop traffic for things that aren't listening. Eric's point was you deploy your fancy-dan mail server with ONLY 22 and 25 listening, you know that's all that's listening and your daily/hourly/weekly/monthly automated audits tell you this continually and alert when there are problems/deviations. So, why filter anything in this case? It's wasted bandwidth/processing power.
Hmm...but certainly part of the right solution for a general "appliance" network.
If you run a little network where you know 'precisely' the ins and outs there isn't any reason NOT to have a firewall, IMHO. At the very least for logging/auditting info it's a must. For a backbone filtering is another story entirely. Filtering backbone equipment for it's protection is also a completely different topic... -Chris
Current thread:
- Re: Telco's write best practices for packet switching networks, (continued)
- Re: Telco's write best practices for packet switching networks Jake Khuon (Mar 11)
- Re: Telco's write best practices for packet switching networks Sean Donelan (Mar 11)
- Re: Telco's write best practices for packet switching networks Ratul Mahajan (Mar 12)
- Re: Telco's write best practices for packet switching networks Joe Abley (Mar 12)
- Re: Telco's write best practices for packet switching networks Jake Khuon (Mar 13)
- Re: Telco's write best practices for packet switching networks Sean Donelan (Mar 13)
- Re: Telco's write best practices for packet switching networks Gwendolynn ferch Elydyr (Mar 13)
- Re: Telco's write best practices for packet switching networks Iljitsch van Beijnum (Mar 11)
- Re: Telco's write best practices for packet switching networks Ron da Silva (Mar 06)
- Re: Telco's write best practices for packet switching networks Christopher L. Morrow (Mar 06)
- Re: Telco's write best practices for packet switching networks Ron da Silva (Mar 06)
- Re: Telco's write best practices for packet switching networks Christopher L. Morrow (Mar 06)
- RE: Telco's write best practices for packet switching networks Daniel Golding (Mar 07)