nanog mailing list archives
Re: Firewall opinions wanted please
From: "Steven M. Bellovin" <smb () research att com>
Date: Wed, 17 Mar 2004 15:37:32 -0500
In message <4058AEF2.2060109 () he iki fi>, Petri Helenius writes:
No, the applications should accept only authorized connections. If that would be the case, there would be no need to filter at packet level.
No. Quite apart from the fact that you mean "authorized", not "authenticated", the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem. Put in a NANOG0-friendly way, they're a scalable security mechanism that can *help* defend you. Think of the endorsement on most tubes of (American) toothpaste: ... has been shown to be an effective decay-preventive dentifrice that can be of significant value when used as directed in a conscientiously applied program of oral hygiene and regular professional care. If all you want to do is say "no" to all incoming connections on a single machine, you don't need a separate box labeled "firewall" -- assuming, of course, that your host is properly configured. Most systems aren't configured that way; worse yet, it takes a lot of knowledge to understand how to block things, and when it's ok to do so. (It's an amusing exercise to run ZoneAlarm on a new, out-of-the box Windows machine and see how many different programs think they need to talk to the network, or (worse yet) act as servers.) But it's a lot of work to configure a machine to be that safe, and if you have a hundred or a thousand of them you can't do it; entropy will open up new holes -- that is, open up new sockets for buggy applications -- faster than you can close them down. Add to that that you don't really know what's safe or unsafe, and that you have some services that are convenient for insiders but don't have adequate, scalable authentication on which you can build an authorization mechanism, and you see why firewalls are useful. Perfect? No, of course not. A good idea? Absolutely. --Steve Bellovin, http://www.research.att.com/~smb
Current thread:
- Re: Firewall opinions wanted please, (continued)
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)
- Re: Firewall opinions wanted please Peter Galbavy (Mar 18)
- Message not available
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)
- Re: Firewall opinions wanted please Eric Gauthier (Mar 17)
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)
- Re: Firewall opinions wanted please Petri Helenius (Mar 17)
- Re: Firewall opinions wanted please Erik Haagsman (Mar 17)
- Re: Firewall opinions wanted please Bruce Pinsky (Mar 17)
- Re: Firewall opinions wanted please Erik Haagsman (Mar 17)
- Re: Firewall opinions wanted please Alexei Roudnev (Mar 17)
- Re: Firewall opinions wanted please Steven M. Bellovin (Mar 17)
- Re: Firewall opinions wanted please bill (Mar 17)
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)
- Re: Firewall opinions wanted please Steven M. Bellovin (Mar 17)
- Re: Firewall opinions wanted please Alexei Roudnev (Mar 17)
- Re: Firewall opinions wanted please Chris Brenton (Mar 18)
- Re: Firewall opinions wanted please Alexei Roudnev (Mar 18)
- Re: Firewall opinions wanted please Chris Brenton (Mar 18)