Re: ACLs vs. full firewalls

["Steven M. Bellovin" <smb () cs columbia edu>]

On Wed, 08 Apr 2009 09:20:34 +1000
Karl Auer <kauer () biplane com au> wrote:

> On Wed, 2009-04-08 at 10:46 +1200, Nathan Ward wrote:
> > > I'd be interested to hear why people use firewalls.
>
> > End hosts are not always trustworthy.
> >
> > If a host is compromised, should it be able to send anything and  
> > everything out to the public network?
>
> A packet filter looks at the "top surface" of the packet, and
> processes the packet accordingly - based on things like the protocol,
> the source address, the destination address, the TCP flags and so on.
>
> A firewall, on the other hand, makes decisions based on knowledge
> about the data being carried.
>
> I.e., firewall != packet filter; my question related to firewalls.
A packet filter is often part of a firewall, though it's usually not a
complete solution.  However, I'd disagree with your blanket assertion.
A better way to phrase it is that a firewall at a given level cannot
protect against attacks at a different level.  Packet filters don't
block SMTP weirdness or filter Evilscript from web pages; web proxies
don't guard against, say, ACK scans.  It's like it says on the tube of
toothpaste: a packet filter (or for that matter, a firewall) is an
effective security device if used as part of a program of good network
hygiene and regular professional care.

                --Steve Bellovin, http://www.cs.columbia.edu/~smb