Re: Telco's write best practices for packet switching networks

["Steven M. Bellovin" <smb () research att com>]

In message <Pine.GSO.4.40.0203071618090.25551-100000 () clifden donelan com>, Sean
 Donelan writes:
> My comment was originally prompted by the meeting minutes which
> reported on the survey data showing that 100% of carriers are implementing
> firewalls in their gateways.  The 100% is what caught my eye.  As the
> topic comes up in various places, large ISPs repeatedly say they are
> unable to implement filters or packet screening on their high-speed
> links such as at peering points.  So the self-reported 100% implementation
> of screening and filtering firewalls at gateways didn't seem to jive
> with my understanding of the limitations faced by large ISPs.

Yup.
> Firewalls can be a useful tool in the security engineer's toolbox.  But
> they get misused a lot.  I don't believe security engineers are better
> programmers.  If there was a class of programmers in the world that didn't
> make mistakes, I would hire them to write the applications. When the
> firewall is more complex than the application server it is "protecting"
> which is likely to have more mistakes?
Yes and no.  I don't think that security programmers are any better 
than application programmers.  But they might be trained differently.  
For example, I suspect that most application programmers have never 
heard of format string vulnerabilities.  I would hope that most 
security professionals have.

But you're absolutely right about the complexity of many of today's 
firewalls -- I've been complaining about that for years.

                --Steve Bellovin, http://www.research.att.com/~smb
                Full text of "Firewalls" book now at http://www.wilyhacker.com