nanog mailing list archives
Re: ACLs vs. full firewalls
From: "Steven M. Bellovin" <smb () cs columbia edu>
Date: Tue, 7 Apr 2009 19:38:10 -0400
On Wed, 08 Apr 2009 09:20:34 +1000 Karl Auer <kauer () biplane com au> wrote:
On Wed, 2009-04-08 at 10:46 +1200, Nathan Ward wrote:I'd be interested to hear why people use firewalls.End hosts are not always trustworthy. If a host is compromised, should it be able to send anything and everything out to the public network?A packet filter looks at the "top surface" of the packet, and processes the packet accordingly - based on things like the protocol, the source address, the destination address, the TCP flags and so on. A firewall, on the other hand, makes decisions based on knowledge about the data being carried. I.e., firewall != packet filter; my question related to firewalls.
A packet filter is often part of a firewall, though it's usually not a complete solution. However, I'd disagree with your blanket assertion. A better way to phrase it is that a firewall at a given level cannot protect against attacks at a different level. Packet filters don't block SMTP weirdness or filter Evilscript from web pages; web proxies don't guard against, say, ACK scans. It's like it says on the tube of toothpaste: a packet filter (or for that matter, a firewall) is an effective security device if used as part of a program of good network hygiene and regular professional care. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Current thread:
- ACLs vs. full firewalls Michael Helmeste (Apr 07)
- Re: ACLs vs. full firewalls Justin M. Streiner (Apr 07)
- Re: ACLs vs. full firewalls Eric Gauthier (Apr 07)
- Re: ACLs vs. full firewalls Michael Helmeste (Apr 07)
- Re: ACLs vs. full firewalls Matthew Petach (Apr 07)
- Re: ACLs vs. full firewalls Mark Smith (Apr 07)
- Re: ACLs vs. full firewalls Karl Auer (Apr 07)
- Re: ACLs vs. full firewalls Nathan Ward (Apr 07)
- Re: ACLs vs. full firewalls Karl Auer (Apr 07)
- Re: ACLs vs. full firewalls Steven M. Bellovin (Apr 07)
- Re: ACLs vs. full firewalls Karl Auer (Apr 07)
- Re: ACLs vs. full firewalls Ravi Pina (Apr 15)
- RE: ACLs vs. full firewalls TJ (Apr 15)
- Re: ACLs vs. full firewalls ubaidali_abdul_razack (Apr 07)