nanog mailing list archives
RE: I don't need no stinking firewall!
From: "Brian Johnson" <bjohnson () drtel com>
Date: Wed, 13 Jan 2010 09:07:52 -0600
-----Original Message----- From: Bruce Curtis [mailto:bruce.curtis () ndsu edu] Sent: Tuesday, January 12, 2010 5:14 PM To: NANOG list Subject: Re: I don't need no stinking firewall!
<SNIP>
IMO you're better off making sure only the services you intend to provide are listening, and that those services are hardened appropriately for public exposure.OK. This is obvious to anyone with experience in these things. But I also believe in a layered approach. It never hurts to add more
layers
toprevent human error or even internal breaches as the differentsystemsare under the control of different equipment (servers, routers, switches, security devices). It's like two supports holding upsomethingwithout knowing if the other one is doing its job. Both need to pullthefull weight in case the other fails.I disagree. "Never" is pretty absolute. If that were true there would be no limit to the number of layers.
I'm with you, but you get my sentiment without being too literal. :)
Realistically I have experienced the harm from having firewalls in the network path.
I've experienced harm from routers in the network path. If you use the tool correctly and with full knowledge of its limitations, then you will be able to avoid "harm" and add functionality/security/value... whatever the goal is.
I have witnessed too many video sessions that either couldn't be started or had the sessions dropped prematurely because of firewalls.
So putting a firewall that can't handle your traffic in your network path sounds like a bad idea FOR YOU. :)
When the worms were infecting machines a couple of years ago our network was robust and stable and I identified and blocked infected machines quickly. Other universities shut down their residence halls or large portions of their network because their firewalls rolled over and died otherwise from all of the scanning from inside their network.
I remember hearing about this type of thing. I'm sorry for this learning lesson, but that doesn't mean that firewalls are "bad" or that stateful inspection is "bad". It means that it was a bad choice for your environment.
I have talked to universities who consider the firewall the canary
of
the network world, its the first box in the network to cease functioning when there is a problem.
I think this type of assertion is just folly. I would say that some universities (full of all those really smart people ;) should be able to discern that a monkey wrench was being used to do the job of a hammer, or vice versa. The problem was not the tool, but the person who used the wrong tool for the job at hand.
Others have already mentioned the troubleshooting nightmares that firewalls generate, I would consider that a harm also.
I've had one of those "troubleshooting nightmares" before. It was due to MY IGNORANCE of what I was doing. The firewall is not causing the nightmare. Ignorance is. My last statement on this thread is that if you use a tool in the wrong way, you will either break the tool, or the item you are using it on. If you don't know how to use a tool, learn before you try. If you try first, you will learn later (Here comes that nightmare) how the tool does/doesn't work. Specific examples of failure are not failures of the device, but failures of the implementer(s) to correctly use the tool with the obvious exception of vendors not being truthful about the tools capabilities. Please no more examples of specific failures of firewalls. We all know that they were designed by Satan himself to destroy our networks and bring about the Antichrist. ;) - Brian CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, copying, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.
Current thread:
- Re: I don't need no stinking firewall!, (continued)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- Re: I don't need no stinking firewall! Jared Mauch (Jan 06)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- Re: I don't need no stinking firewall! David Hiers (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Brian Keefer (Jan 06)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 06)
- Re: I don't need no stinking firewall! Bruce Curtis (Jan 12)
- RE: I don't need no stinking firewall! Brian Johnson (Jan 13)
- Re: I don't need no stinking firewall! Tim Durack (Jan 13)
- Re: I don't need no stinking firewall! Joel Jaeggli (Jan 13)
- Re: I don't need no stinking firewall! Randy Bush (Jan 14)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
- RE: I don't need no stinking firewall! George Bonser (Jan 05)
- Re: I don't need no stinking firewall! Arie Vayner (Jan 08)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 08)
- Re: I don't need no stinking firewall! bill from home (Jan 08)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 08)