Re: Reactive Firewalls

[Rick Smith <rsmith () securecomputing com>]

The correct choice between denial of service and degraded security of
various forms will always come down to one of local policy. Personally, I'm
more familiar to the notion of shutting down when there are problems, but
that's because for much of my career the Internet (and Arpanet) were
perceived as an efficient shortcut for getting work done. The 'Net was not
an essential communications link like a telephone.

I expect that as time goes on the Internet will get to be more like the
telephone, not less. I have no doubt that our telecom manager would get
fired if he had the phone system go down several times (disconnecting
calls) simply because there was a possibility someone was making an invalid
call or because the system had trouble keeping records of all calls. The
practical default is to let calls go through, but make the best possible
effort to keep things as safe as possible. The name of the game is risk
reduction. We use the tools we've got, but we're not going to stop every
threat no matter how cautious we are.

Although I've done incident analysis and I appreciate the value of a good
audit log, I still recognize that the enterprise didn't install its
Internet connection simply to keep logs on its use -- they did it to
improve their ability to do their job. The only time it makes sense to
interrupt Internet service is if there's a detected danger to the internal
systems. It's not easy to make this judgement, and you really have to base
it on how the service interruption will impact ongoing business and the
perceived value of the Internet connection to the enterprise.

Rick.
smith () securecomputing com