nanog mailing list archives

Re: I don't need no stinking firewall!

From: "Kevin Oberman" <oberman () es net>
Date: Tue, 05 Jan 2010 16:55:41 -0800

From: Jared Mauch <jared () puck nether net>
Date: Tue, 5 Jan 2010 16:20:56 -0500

On Jan 5, 2010, at 3:58 PM, Brielle Bruns wrote:

It's all how you configure and tweak the firewall.  Recommending people run servers without a firewall is bad 
advice - do you really want your Win2k3 server exposed, SMB, RPC, and all to the world?


Some people think that exposing any functionality by default such as that is a poor security practice :)

My biggest issue is that people think that Firewalls, AV, etc  are a catch-all for any network/user/security badness. 
 The real world is more complex than that.

Most people make poor security choices and this creates much larger issues.

"I thought the firewall would protect me".
"I thought my IPS would protect me"
"I thought my AV would protect me"

Most of these technologies create a truly false sense of security.

I'm once again reminded of many people who do technically "silly"
things like block TCP/53, packets over 512 bytes, port 587, ssl imap
ports, etc.

It's frustrating and sad because it's not an effective security
strategy and frustrates grumpy old-school users as myself that used
odi drivers w/ ka9q to multitask over our CSLIP networks.


I suspect at least part of this will soon get fixed due to DNSSEC.
Blocking tcp/53 and packets over 512 bytes will cause user complaints
and, after enough education, the problem will get fixed.

I had a problem with a large US government site due to tcp/53 blocking
and had no luck getting it fixed. The "Security Officer" informed me
that tcp/53 was only ever needed for zone transfer and any other use was
clear evidence of abuse. RFCs meant nothing to him. (I don't know if he
knew what an RFC was.)

Now that gov domains are mandated to be signed, seems like he learned that
tcp/53 could be used for normal operations.

"You can get more with a kind word and a two-by-four than you can with
just a kind word." 
                                         J. Michael Straczynski from
                                         Ceremonies of Light and Dark
                                         Babylon 5
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman () es net                       Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

Current thread:

I don't need no stinking firewall! Brian Johnson (Jan 05)
- Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
  - Re: I don't need no stinking firewall! Brielle Bruns (Jan 05)
    - Re: I don't need no stinking firewall! Simon Lockhart (Jan 05)
    - Re: I don't need no stinking firewall! Brielle Bruns (Jan 05)
    - Re: I don't need no stinking firewall! Jared Mauch (Jan 05)
    - Re: I don't need no stinking firewall! Kevin Oberman (Jan 05)
    - Re: I don't need no stinking firewall! Tony Finch (Jan 06)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
  - Re: I don't need no stinking firewall! Mark Foster (Jan 05)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
  - Re: I don't need no stinking firewall! Robert Brockway (Jan 05)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
    - Re: I don't need no stinking firewall! Jonathan Lassoff (Jan 05)
    - Re: I don't need no stinking firewall! Dobbins, Roland (Jan 05)
    - RE: I don't need no stinking firewall! George Bonser (Jan 05)
    - Re: I don't need no stinking firewall! James Hess (Jan 05)

(Thread continues...)