nanog mailing list archives
Re: I don't need no stinking firewall!
From: Bruce Curtis <bruce.curtis () ndsu edu>
Date: Tue, 12 Jan 2010 17:13:30 -0600
On Jan 6, 2010, at 3:56 PM, Brian Johnson wrote:
-----Original Message----- From: Brian Keefer [mailto:chort () smtps net] Sent: Wednesday, January 06, 2010 3:12 PM To: Brian Johnson Cc: NANOG list Subject: Re: I don't need no stinking firewall!<SNIP>
<SNIP>
IMO you're better off making sure only the services you intend to provide are listening, and that those services are hardened appropriately for public exposure.OK. This is obvious to anyone with experience in these things. But I also believe in a layered approach. It never hurts to add more layers to prevent human error or even internal breaches as the different systems are under the control of different equipment (servers, routers, switches, security devices). It's like two supports holding up something without knowing if the other one is doing its job. Both need to pull the full weight in case the other fails.
I disagree. "Never" is pretty absolute. If that were true there would be no limit to the number of layers. Realistically I have experienced the harm from having firewalls in the network path. I have witnessed too many video sessions that either couldn't be started or had the sessions dropped prematurely because of firewalls. When the worms were infecting machines a couple of years ago our network was robust and stable and I identified and blocked infected machines quickly. Other universities shut down their residence halls or large portions of their network because their firewalls rolled over and died otherwise from all of the scanning from inside their network. I have talked to universities who consider the firewall the canary of the network world, its the first box in the network to cease functioning when there is a problem. Others have already mentioned the troubleshooting nightmares that firewalls generate, I would consider that a harm also. --- Bruce Curtis bruce.curtis () ndsu edu Certified NetAnalyst II 701-231-8527 North Dakota State University
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- Re: I don't need no stinking firewall! David Hiers (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Bruce Curtis (Jan 12)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 13)
- Re: I don't need no stinking firewall! Tim Durack (Jan 13)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 13)
- Re: I don't need no stinking firewall! Randy Bush (Jan 14)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)
- Re: I don't need no stinking firewall! Arie Vayner (Jan 08)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 08)
- Re: I don't need no stinking firewall! bill from home (Jan 08)