[120890] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Rich Kulawiec)
Tue Jan 5 21:21:16 2010
Date: Tue, 5 Jan 2010 21:20:31 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: nanog@nanog.org
In-Reply-To: <29A54911243620478FF59F00EBB12F4701B27EDF@ex01.drtel.lan>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
A firewall is another layer in a defense-in-depth strategy, but tends
to only be truly effective if the first rule in it is
deny all from any to any
which of course does not happen much of the time in the real world,
with predictable results.
Moreover, stateful packet inspection is not the end-all be-all: there's
a lot to be said for application-level proxying, and for quasi-realtime
traffic analysis.
I think of my firewalls as tools which reduce the overwhelming flood
of malicious and garbage traffic to a trickle -- which does not necessarily
reduce the attack surface or the threats to it, but may at least allow
me a better chance of seeing the threats and doing something useful
about them.
---Rsk
