Re: are firewalls limited to only protecting ehternet connections?

["Steven M. Bellovin" <smb () research att com>]

In message <361BE21B.733B () securecomputing com>, ICMan writes:


> If all signalling goes digital, for whatever reason, then television,
> video phones, and data networks will likely all use the same signalling
> mechanism.

...

You miss my point.  I agree that it's likely that multiple networks
will use the same signaling mechanism.  But there's no particular
reason why they'll all terminate on the same endpoint, and in fact
I doubt that they will.  But even if they do, so what?  You can't
use a firewall to shield the port that delivers the service to the
customer.  A firewall can shield the other ports on that machine -- but
my claim is that special-purpose machines don't need, and shouldn't
have, any other services running.

Firewalls are not a magic talisman that will protect code that has to
be exposed.  They can be effective security devices that help protect
other services that you may need elsewhere on your net.  But if it's
exposed, it has to protect itself, and that in turn will require not
just crypto -- though we need that, too -- but also correct code.