Re: Firewall opinions wanted please

["Kevin Oberman" <oberman () es net>]

> Date: Wed, 17 Mar 2004 11:57:33 -0600
> From: Rachael Treu <rara () navigo com>
> Sender: owner-nanog () merit edu
>
>
> On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of:
> > > > The best option I guess is to figure out how important it is for you to have a firewall, 
> > >
> > > _Everyone_ (network connected) should have a firewall.  My grandma should 
> > > have a firewall.  Nicole, holding dominion over this business network and 
> > > its critical infrastructure, should _definitely_ have a firewall.  ;)
> >     Why?  When did the end2end nature of the Internet suddenly
> >     sprout these mutant bits of extra complexity that reduce
> >     the overall security of the 'net?  
> >
> >     Two questions asked, Two answers are sufficent.
>
> Nope.  One will do it.  The day the first remote exploit or condition, 
> in protocol or application, that could potentially have given rise to such
> and exploit made it possible for a user not in your control to gain control 
> of your box(en), firewalling became necessary.  Then Internet is not exactly 
> end-to-end beyond pure fundamentals; it's more end-to-many-ends.  And the 
> notion of "end-to-end" requires preservation of a connection between 2 
> consenting hosts, and preservation includes securement of that connection 
> against destructive mechanisms, which includes the subversive techniques and 
> intercetptions commonly associated with network security.  
>
> Denial of Service is as much a threat to availability and network 
> functionality as is power outage if it occurs.  Before this turns to a "you 
> security freaks want to screw around with my network and don't care about 
> availability..."
>
> Firewalls are logical interventions, costing as little as some processor
> overhead.  Dedicated appliances are only one deployment.  Filters on 
> routers also qualify as firewalls.  Am I correct in understanding that you
> feel edge filtering is mutant lunacy and unnecessary complexity?
>
> Regarding dedicated firewalls, please see Mr. Bellovin's previous post 
> regarding appropriate and competent administration.  The lack thereof 
> presents the complication, not the countermeasure itself.
>
> As for your assertion that firewalls "reduce the overall security of the 
> 'net."...can you please elaborate on that, as well?  Other factions might/do
> argue that it's the other team refusing to lock their doors at night that
> are perpetuating the flux of bad behavior as a close second to the ignorant
> and infected.

I dislike firewalls for many applications, although I have a Sonic Wall
on my cable modem. On the whole, they lead to false belief that
firewalls really make you safe. They also block many interesting
applications. Things like H.323 conferencing are made vastly more
complex by firewalls with no easy or canned work-arounds.

One large research site I work closely with has directly opted for IDS
with a bad attitude (love that description) which has successfully
blocked many intrusion and DOS attempts with no major failures. Slammer
did overwhelm it, but it did the same for most everything.

The end-to-end nature of the net is really, really important, but is
being blocked more and more by those who thing the net is web browsing
and e-mail clients and that everything else is simply an annoyance. This
attitude is hamstringing network development already and may end up
turning the commercial Internet into a permanently limited tool with
fewer real capabilities that the ARPANET had before TCP/IP replaced NCP.

Grandma may need a firewall. (My sister DEFINITELY needs one.)  But not
all network connections need or will benefit from a firewall. And many
system will exist with significant security flaws because the owners
believe that the firewall takes care of everything.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman () es net                       Phone: +1 510 486-8634