nanog mailing list archives

Re: Firewall opinions wanted please

From: "Steven M. Bellovin" <smb () research att com>
Date: Wed, 17 Mar 2004 15:37:32 -0500

In message <4058AEF2.2060109 () he iki fi>, Petri Helenius writes:

No, the applications should accept only authorized connections. If that 
would be the case, there would be no need to filter at packet level.

No.  Quite apart from the fact that you mean "authorized", not 
"authenticated", the primary purpose of a firewall is to keep the bad 
guys away from the buggy code.  Firewalls are the networks' response to 
the host security problem.

Put in a NANOG0-friendly way, they're a scalable security mechanism 
that can *help* defend you.  Think of the endorsement on most tubes of 
(American) toothpaste:

   ... has been shown to be an effective decay-preventive
   dentifrice that can be of significant value when used as directed
   in a conscientiously applied program of oral hygiene and
   regular professional care.

If all you want to do is say "no" to all incoming connections on a 
single machine, you don't need a separate box labeled "firewall" 
-- assuming, of course, that your host is properly configured.  Most 
systems aren't configured that way; worse yet, it takes a lot of 
knowledge to understand how to block things, and when it's ok to do so.
(It's an amusing exercise to run ZoneAlarm on a new, out-of-the box 
Windows machine and see how many different programs think they need to 
talk to the network, or (worse yet) act as servers.)  But it's a lot of 
work to configure a machine to be that safe, and if you have a hundred 
or a thousand of them you can't do it; entropy will open up new holes 
-- that is, open up new sockets for buggy applications -- faster than 
you can close them down.  Add to that that you don't really know what's 
safe or unsafe, and that you have some services that are convenient for 
insiders but don't have adequate, scalable authentication on which you 
can build an authorization mechanism, and you see why firewalls are 

Perfect?   No, of course not.  A good idea?  Absolutely.  

                --Steve Bellovin,

Current thread: