nanog mailing list archives
Re: Telco's write best practices for packet switching networks
From: "Steven M. Bellovin" <smb () research att com>
Date: Wed, 06 Mar 2002 10:29:39 -0500
In message <Pine.GSO.4.33.0203061459240.3098-100000 () rampart argfrp us uu net>, "Christopher L. Morrow" writes:
On Wed, 6 Mar 2002, Ron da Silva wrote:On Wed, Mar 06, 2002 at 09:41:55AM -0500, Steven M. Bellovin wrote:In message <gu9ofi1rcwe.fsf () rampart argfrp us uu net>, Eric Brandwine writes:Firewalls are good things for general purpose networks. When you've got a bunch of clueless employees, all using Windows shares, NFS, and all sorts of nasty protocols, a firewall is best practice. Rather than educate every single one of them as to the security implications of their actions, just insulate them, and do what you can behind the firewall. When you've got a deployed server, run by clueful people, dedicated to a single task, firewalls are not the way to go. You've got a DNS server. What are you going to do with a firewall? Permit tcp/53 and udp/53 from the appropriate net blocks. Where's the protection? Turn off unneeded services, chose a resilient and flame tested daemon, and watch the patchlist for it.Precisely. You *may* need a packet filter to block things like SNMP (to name a recent case in point), but a general-purpose firewall is generally the wrong solution for appliance computers.There is no need to drop traffic for things that aren't listening. Eric's point was you deploy your fancy-dan mail server with ONLY 22 and 25 listening, you know that's all that's listening and your daily/hourly/weekly/monthly automated audits tell you this continually and alert when there are problems/deviations. So, why filter anything in this case? It's wasted bandwidth/processing power.
I was agreeing with Eric's point. I've been saying this for years. My
comment about the packet filter was to deal with services that are
needed for some internal purposes, but for some reason can't protect
themselves. Right now, that's snmp -- you may have snmpd running on
your mail server, but given the recent CERT advisory you need to keep
the bad guys away from it. (Yes, you should install fixed code -- but
given how many components were affected by that advisory, it's quite
obvious that no one has had time to test the fixes properly.)
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
Current thread:
- Re: Telco's write best practices for packet switching networks, (continued)
- Re: Telco's write best practices for packet switching networks Christopher L. Morrow (Mar 06)
- Re: Telco's write best practices for packet switching networks Ron da Silva (Mar 06)
- Re: Telco's write best practices for packet switching networks Christopher L. Morrow (Mar 06)
- RE: Telco's write best practices for packet switching networks Daniel Golding (Mar 07)
- Re: Telco's write best practices for packet switching networks Rob Pickering (Mar 06)
- Re: Telco's write best practices for packet switching networks Eric Brandwine (Mar 06)
- Re: Telco's write best practices for packet switching networks Christopher L. Morrow (Mar 06)
- Re: Telco's write best practices for packet switching networks Adam McKenna (Mar 06)
- Message not available
- Re: Telco's write best practices for packet switching networks Simon Higgs (Mar 06)
- Re: Telco's write best practices for packet switching networks Steven J. Sobol (Mar 06)
- Re: Telco's write best practices for packet switching networks Christopher L. Morrow (Mar 06)
- Re: Telco's write best practices for packet switching networks Sean Donelan (Mar 07)
- Re: Telco's write best practices for packet switching networks Joe Abley (Mar 07)
- Re: Telco's write best practices for packet switching networks Christopher L. Morrow (Mar 07)
- Re: Telco's write best practices for packet switching networks Ron da Silva (Mar 08)
- Re: Telco's write best practices for packet switching networks Joe Abley (Mar 08)
- Re: Telco's write best practices for packet switching networks Christopher L. Morrow (Mar 08)