[120873] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Jan 5 16:25:03 2010
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <4B43A80C.5010002@2mbit.com>
Date: Tue, 5 Jan 2010 16:20:56 -0500
To: Brielle Bruns <bruns@2mbit.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 5, 2010, at 3:58 PM, Brielle Bruns wrote:
> It's all how you configure and tweak the firewall. Recommending =
people run servers without a firewall is bad advice - do you really want =
your Win2k3 server exposed, SMB, RPC, and all to the world?
Some people think that exposing any functionality by default such as =
that is a poor security practice :)
My biggest issue is that people think that Firewalls, AV, etc are a =
catch-all for any network/user/security badness. The real world is more =
complex than that.
Most people make poor security choices and this creates much larger =
issues.
"I thought the firewall would protect me".
"I thought my IPS would protect me"
"I thought my AV would protect me"
Most of these technologies create a truly false sense of security.
I'm once again reminded of many people who do technically "silly" things =
like block TCP/53, packets over 512 bytes, port 587, ssl imap ports, =
etc.
It's frustrating and sad because it's not an effective security strategy =
and frustrates grumpy old-school users as myself that used odi drivers =
w/ ka9q to multitask over our CSLIP networks.
- Jared=
