nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall opinions wanted please

From: bill <bmanning () karoshi com>
Date: Wed, 17 Mar 2004 15:01:50 -0800 (PST)


"the primary purpose of a firewall is to keep the bad 
guys away from the buggy code.  Firewalls are the networks' response to 
the host security problem."


        a pretty good sound bite. :)


Add to that that you don't really know what's 
safe or unsafe, and that you have some services that are convenient for 
insiders but don't have adequate, scalable authentication on which you 
can build an authorization mechanism, and you see why firewalls are 
useful.

Perfect?   No, of course not.  A good idea?  Absolutely.  


        Er... perhaps.

        Who is configuring the "firewall"? What are its capabilities?
        How easy will it be to deploy new services?  I, as an enduser,
        am abdicating most of my responsibility to or it is being hijacked
        by one or more network service providers.   Ken is right.

        Firewalls, in general, seem to be a great place for blackhats
        to focus on.  DoS is trivial, the degenerate case is encaps
        of everything into stuff that passes through the firewall
        (IP over port 80), and then we've just pushed the problem
        elsewhere, adding more complexity to the system for little
        if any improvment in the overall integrity.  Sounds like
        the result is a system that is more fragile. 


              --Steve Bellovin, http://www.research.att.com/~smb


--bill (cynic)

        Noting that the nanog thread of the day has changed, but 
        not n'cessly for the better. :)
Previous By Date Next
Previous By Thread Next

Current thread: