Re: Firewall opinions wanted please

[Rachael Treu <rara () navigo com>]

Guys...firewall is as generic a term as any.  Saying grandma needs a 
router does not mean that an M20 is interchangeable with her Linksys.

The definition of firewall[1]:
1. A fireproof wall used as a barrier to prevent the spread of fire. 
2. Computer Science. Any of a number of security schemes that prevent unauthorized users from gaining access to a 
computer network or that monitor transfers of information to and from the network. 

By that rationale, firewall includes ACLs, filtering, and the umpteen
built-in apps that ship standard with home CPE/routers that _call
themselves_ firewall software.

I am absolutely talking access control.  Not about an HA Netscreen500
pair with VRRP off redundant switch fabric and H.323 support. 

As for your cost commentary, you are absolutely right.  I said grandma
needs a firewall, not that she has one or will buy one.  That is the
unfortunate disparity between prudence and practical application.

--ra

[1]http://dictionary.reference.com/search?q=firewall

-- 
k. rachael treu, CISSP       rara () navigo com
..quis costodiet ipsos custodes?..

On Wed, Mar 17, 2004 at 11:19:54AM -0800, Alexei Roudnev said something to the effect of:
> Not _firewalling_, but access limitation. Grandma can live with PNAT
> router - she do not need any firewall, if she do not grant external access
> to anything. She can live with Windows  _default deny_ setting.  If grandma
> have extra money, it is better to purchase anty-virus.
>
> Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest
> into security (bad  thing for us, I know!) - because she lost '$0' in case
> of intrusion... It explains shidespread of modern viruses, spam-trojans etc
> (they cost '$0' to infected households in many cases).
>
> It is as Wireless access - my friend have secured access point, but when I
> tried, I could use unsecured access points of 2 his neighbourths.
> They know abouth insecurity - but they do not lost anything, so they do not
> want to spend $0.01 to improve it. And unfortunately, I can not blame them.
>
>
> > On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the
> effect of:
> > > > > The best option I guess is to figure out how important it is for you
> to have a firewall,
> > > > _Everyone_ (network connected) should have a firewall.  My grandma
> should
> > > > have a firewall.  Nicole, holding dominion over this business network
> and
> > > > its critical infrastructure, should _definitely_ have a firewall.  ;)
> > > Why?  When did the end2end nature of the Internet suddenly
> > > sprout these mutant bits of extra complexity that reduce
> > > the overall security of the 'net?
> > >
> > > Two questions asked, Two answers are sufficent.
> >
> > Nope.  One will do it.  The day the first remote exploit or condition,
> > in protocol or application, that could potentially have given rise to such
> > and exploit made it possible for a user not in your control to gain
> control
> > of your box(en), firewalling became necessary.  Then Internet is not
> exactly
> > end-to-end beyond pure fundamentals; it's more end-to-many-ends.  And the
> > notion of "end-to-end" requires preservation of a connection between 2
> > consenting hosts, and preservation includes securement of that connection
> > against destructive mechanisms, which includes the subversive techniques
> and
> > intercetptions commonly associated with network security.
> >
> > Denial of Service is as much a threat to availability and network
> > functionality as is power outage if it occurs.  Before this turns to a
> "you
> > security freaks want to screw around with my network and don't care about
> > availability..."
> >
> > Firewalls are logical interventions, costing as little as some processor
> > overhead.  Dedicated appliances are only one deployment.  Filters on
> > routers also qualify as firewalls.  Am I correct in understanding that you
> > feel edge filtering is mutant lunacy and unnecessary complexity?
> >
> > Regarding dedicated firewalls, please see Mr. Bellovin's previous post
> > regarding appropriate and competent administration.  The lack thereof
> > presents the complication, not the countermeasure itself.
> >
> > As for your assertion that firewalls "reduce the overall security of the
> > 'net."...can you please elaborate on that, as well?  Other factions
> might/do
> > argue that it's the other team refusing to lock their doors at night that
> > are perpetuating the flux of bad behavior as a close second to the
> ignorant
> > and infected.
> >
> > --ra
> >
> > -- 
> > k. rachael treu, CISSP       rara () navigo com
> > ..quis costodiet ipsos custodes?..
> > > --bill