[121192] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Bruce Curtis)
Tue Jan 12 18:14:10 2010
From: Bruce Curtis <bruce.curtis@ndsu.edu>
In-Reply-To: <29A54911243620478FF59F00EBB12F4701B27F5C@ex01.drtel.lan>
Date: Tue, 12 Jan 2010 17:13:30 -0600
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 6, 2010, at 3:56 PM, Brian Johnson wrote:
>> -----Original Message-----
>> From: Brian Keefer [mailto:chort@smtps.net]
>> Sent: Wednesday, January 06, 2010 3:12 PM
>> To: Brian Johnson
>> Cc: NANOG list
>> Subject: Re: I don't need no stinking firewall!
>=20
> <SNIP>
<SNIP>
>>=20
>> IMO you're better off making sure only the services you intend to
>> provide are listening, and that those services are hardened
>> appropriately for public exposure.
>=20
> OK. This is obvious to anyone with experience in these things. But I
> also believe in a layered approach. It never hurts to add more layers =
to
> prevent human error or even internal breaches as the different systems
> are under the control of different equipment (servers, routers,
> switches, security devices). It's like two supports holding up =
something
> without knowing if the other one is doing its job. Both need to pull =
the
> full weight in case the other fails.
I disagree. "Never" is pretty absolute. If that were true there =
would be no limit to the number of layers.
Realistically I have experienced the harm from having firewalls in the =
network path.
I have witnessed too many video sessions that either couldn't be =
started or had the sessions dropped prematurely because of firewalls.
When the worms were infecting machines a couple of years ago our =
network was robust and stable and I identified and blocked infected =
machines quickly. Other universities shut down their residence halls or =
large portions of their network because their firewalls rolled over and =
died otherwise from all of the scanning from inside their network. =20
I have talked to universities who consider the firewall the canary of =
the network world, its the first box in the network to cease functioning =
when there is a problem.
Others have already mentioned the troubleshooting nightmares that =
firewalls generate, I would consider that a harm also.
---
Bruce Curtis bruce.curtis@ndsu.edu
Certified NetAnalyst II 701-231-8527
North Dakota State University =20
