[120901] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (William Herrin)
Wed Jan 6 02:46:17 2010
In-Reply-To: <20100106022030.GA26925@gsp.org>
From: William Herrin <herrin-nanog@dirtside.com>
Date: Wed, 6 Jan 2010 02:45:17 -0500
To: Rich Kulawiec <rsk@gsp.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Jan 5, 2010 at 9:20 PM, Rich Kulawiec <rsk@gsp.org> wrote:
> A firewall is another layer in a defense-in-depth strategy, but tends
> to only be truly effective if the first rule in it is
>
> =A0 =A0 =A0 =A0deny all from any to any
Not surprisingly, good network security starts with and incorporates
the protected users as its most important element. Start with "deny
all" and not only won't they work with you, the more creative among
them will teach the others how to work around you.
I've seen it over and over again and the faulty design always starts
with a deny-all mentality.
Can you imagine a deny-all mentality in physical security? I'm sorry
sir, you can't leave your house until you justify your need to walk
down the street.
Regards,
Bill Herrin
--=20
William D. Herrin ................ herrin@dirtside.com bill@herrin.us
3005 Crane Dr. ...................... Web: <http://bill.herrin.us/>
Falls Church, VA 22042-3004
