nanog mailing list archives
Re: I don't need no stinking firewall!
From: "Michael K. Smith" <mksmith () adhost com>
Date: Sun, 10 Jan 2010 17:03:11 -0800
On 1/9/10 10:32 PM, "Dobbins, Roland" <rdobbins () arbor net> wrote:
On Jan 10, 2010, at 1:22 PM, harbor235 wrote:Again, a firewall has it's place just like any other device in the network, defense in >>> depth is a prudent philosophy to reduce the chances of compromise, it does not >>>eliminate it nor does any architecture you can think of, periodWhat a ridiculous statement - of course it does. *The place of the stateful firewall is in front of clients, not servers*. I'm not going to continue the unequal contest of pitting real-world operational experience against Confused Information Systems Security Professional brainwashing. One can spout all the buzzwords and catchphrases one wishes, but at the end of the day, it's all dead wrong - and anyone naive enough to fall for it is setting himself up for a world of hurt.
I certainly understand and agree with your position, in most cases, but there are some instances when a firewall serves an excellent purpose. As an example, we manage hundreds of heterogeneous servers where customers also have administrative access to the devices. As such, we can never be sure they haven't changed something that can negatively impact the security of the server or servers. However, since the firewall is a magic box they don't want anything to do with it. This means that I can keep a server fairly secure from extraneous cruft and have a demarcation point into and out of the customer's environment that I control. I understand this does nothing for SQL injection, XSS, and other application-layer mischief, but it does wonders for keeping all the other stuff blocked, even when an customer "admin" says "why do I need Windows Firewall?" I wish I had a perfect world where I had a homogenous server environment that I controlled all the way through the stack with only one Management Layer to deal with. But, I'm glad I don't because these customers pay my salary. Regards, Mike
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! bill from home (Jan 08)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 08)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 08)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 08)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 08)
- Re: I don't need no stinking firewall! harbor235 (Jan 09)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 09)
- Re: I don't need no stinking firewall! harbor235 (Jan 09)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 09)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 09)
- Re: I don't need no stinking firewall! Michael K. Smith (Jan 10)
- RE: I don't need no stinking firewall! George Bonser (Jan 10)
- Re: I don't need no stinking firewall! Randy Bush (Jan 10)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 10)
- RE: I don't need no stinking firewall! George Bonser (Jan 10)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 10)
- RE: I don't need no stinking firewall! George Bonser (Jan 10)
- Re: I don't need no stinking firewall! Warren Kumari (Jan 13)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 13)
- Re: I don't need no stinking firewall! Bill Stewart (Jan 14)
- Re: I don't need no stinking firewall! Joe Maimon (Jan 14)