[121268] in North American Network Operators' Group
Re: I don't need no stinking firewall!
daemon@ATHENA.MIT.EDU (Warren Kumari)
Thu Jan 14 00:44:29 2010
From: Warren Kumari <warren@kumari.net>
To: "Dobbins, Roland" <rdobbins@arbor.net>
In-Reply-To: <A346098D-7931-441E-B7C3-A66180BA741F@arbor.net>
Date: Thu, 14 Jan 2010 00:37:04 -0500
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail-97--475100251
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit
On Jan 10, 2010, at 1:32 AM, Dobbins, Roland wrote:
>
> On Jan 10, 2010, at 1:22 PM, harbor235 wrote:
>
>> Again, a firewall has it's place just like any other device in the
>> network, defense in >>> depth is a prudent philosophy to reduce the
>> chances of compromise, it does not >>>eliminate it nor does any
>> architecture you can think of, period
>
Bah, I was trying not to get sucked into the roaring vortex of this
thread, but I think that folks are ignoring one of the primary
benefits of firewalls:
Quite simply, its this:
I can now place a checkbox in the "Is there a firewall?" column of the
<insert random acronym here> audit.
While it may be fun to rail against the stupidity, after the Nth time
that you have had the "This is in no way going to help improves
security and will actually decrease it" argument, you realize that, if
you want to get real work done, you need to choose your battles.
In may cases the auditor knows that the firewall may not make thing
better, and may make them worse, but he has a set of guidelines that
the contracting company he is working for dictates, and he needs to
see the widget to sign on the dotted line. I have had auditors
cheerfully point out that the way that their specific requirement is
worded, a commodity CPE device plugged into port somewhere will fully
satisfy their requirements and did I know that BestBuy has them on
sale this week?
W
> What a ridiculous statement - of course it does.
>
> *The place of the stateful firewall is in front of clients, not
> servers*.
>
> I'm not going to continue the unequal contest of pitting real-world
> operational experience against Confused Information Systems Security
> Professional brainwashing. One can spout all the buzzwords and
> catchphrases one wishes, but at the end of the day, it's all dead
> wrong - and anyone naive enough to fall for it is setting himself up
> for a world of hurt.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
>
> Injustice is relatively easy to bear; what stings is justice.
>
> -- H.L. Mencken
>
>
>
>
--Apple-Mail-97--475100251
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF5TCCAt0w
ggHFoAMCAQICAQIwCwYJKoZIhvcNAQEFMGAxLjAsBgNVBAMMJVdhcnJlbiBLdW1hcmkncyBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkxCzAJBgNVBAYTAlVTMSEwHwYJKoZIhvcNAQkBFhJ3a3VtYXJpQGdv
b2dsZS5jb20wHhcNMDkwMTEzMDE0MTEzWhcNMTEwMjIwMDE0MTEzWjBQMR8wHQYDVQQDDBZ2cG4u
ZG5zc2VjLWV4YW1wbGUuY29tMQswCQYDVQQGEwJVUzEgMB4GCSqGSIb3DQEJARYRd2FycmVuQGt1
bWFyaS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALkaHLi+mSGuP7zrTKg+DBJODNRO
Q57lqOIuWZNr7CkQXJrPWinVKRfffbP6Z1NOXZnNe7khxGv/mq2Qj4J7VEoPEnp3VLcKLawpxLMN
4VnbBFKOLlb+ui1Rs0lzfKrWlI/ecZe3q2AV8dyRlaRd3U23Qf7Oh7wKV1OhLEeyQS2dAgMBAAGj
ODA2MDQGA1UdEQQtMCuBEXdhcnJlbkBrdW1hcmkubmV0ghZ2cG4uZG5zc2VjLWV4YW1wbGUuY29t
MA0GCSqGSIb3DQEBBQUAA4IBAQAXgT9iMlkHTv83Gjx2G6EvOi/zkzEKM7VSYfN3MjKPzaJF12bV
xx5cHGHeLR/1gJlFz018dNsKlpdSH4c0NTqBxgr8Y8FOeN7XnZWY2x/2X47qKbrtQQqsZHGRqF7l
eoMeUR/YsOMuz3aoIXSKXO5m46JGESUq65JOfFFj1V+QOYmFpK1BtM7FG5GYpLYo5SGKcyyOpY19
ULMMVj5PbmYf6B3w83Sb6JE1Ww77gLPXEF/nIrmTwF4Y38mkUwA6M2JsaryqqlNgRWAOLXAKhIXk
wLIVWSnZMQcJQjr+kWO8JOQkX1TCbdIKquBCGZZyEOnxfsv4/Zhdq63+nSYf/dMfMIIDADCCAeig
AwIBAgIBBDALBgkqhkiG9w0BAQUwYDEuMCwGA1UEAwwlV2FycmVuIEt1bWFyaSdzIENlcnRpZmlj
YXRlIEF1dGhvcml0eTELMAkGA1UEBhMCVVMxITAfBgkqhkiG9w0BCQEWEndrdW1hcmlAZ29vZ2xl
LmNvbTAeFw0wOTAxMTMxNDM0MDdaFw0xMTAyMjAxNDM0MDdaMEcxFjAUBgNVBAMMDVdLIC0gVlBO
IENlcnQxCzAJBgNVBAYTAlVTMSAwHgYJKoZIhvcNAQkBFhF3YXJyZW5Aa3VtYXJpLm5ldDCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA7DL24PTWK0cxSNZkG8f36ONGbV5ZlDYaAcXIqeJ85sBc
63Gam1AjHOzg5TicvfY+0TxbBxR7DDVXT1Zs0idpM0TCH83lxto1gPiZIls7ijMDixPmZakP3oFJ
eHfqw5QZPytYRrOrz8QSkak2Z13NjYEDewwaypr8nGXcZcbwI5UCAwEAAaNkMGIwCwYDVR0PBAQD
AgSQMDUGA1UdJQQuMCwGCCsGAQUFBwMCBggrBgEFBQcDAQYHKwYBBQIDBAYHKwYBBQIDBQYEVR0l
ADAcBgNVHREEFTATgRF3YXJyZW5Aa3VtYXJpLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAt7MNGeeK
DMrhUQzkP3IyxmkCYUxlZmKEuA471Mj2rHMfBuU3nkGc4N80jFts7eILyhewgVDB7HhvmXCtB61o
E/deBU2t5JqA+BkL+ddIbKsOcZdGaUR7NjqOY7XcYmOlwn5MQPPFJKBiXqUO+JmqOr4cEpeDDPNx
wO5/6AJea7bAF7Mwv3lmCC/xU1AxEVy9Snqqf0y9sn44hWHV797Zc0TvBs9N1HFdJ/YFoLF/Pryd
HhSMNZR/fnV09RsUd843WhLOqq1wqvmu/hx3QmOR5ApjK7X3NflDoDoPGp95TYD+0sMeVOFIibj1
F29BcQmTH34u1V2ry9sKrmd5anCCQDGCAlowggJWAgEBMGUwYDEuMCwGA1UEAwwlV2FycmVuIEt1
bWFyaSdzIENlcnRpZmljYXRlIEF1dGhvcml0eTELMAkGA1UEBhMCVVMxITAfBgkqhkiG9w0BCQEW
EndrdW1hcmlAZ29vZ2xlLmNvbQIBBDAJBgUrDgMCGgUAoIIBSzAYBgkqhkiG9w0BCQMxCwYJKoZI
hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMDAxMTQwNTM3MDVaMCMGCSqGSIb3DQEJBDEWBBTzYYN/
d0U2G2TyFU9vyzT9rypz8zB0BgkrBgEEAYI3EAQxZzBlMGAxLjAsBgNVBAMMJVdhcnJlbiBLdW1h
cmkncyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxCzAJBgNVBAYTAlVTMSEwHwYJKoZIhvcNAQkBFhJ3
a3VtYXJpQGdvb2dsZS5jb20CAQIwdgYLKoZIhvcNAQkQAgsxZ6BlMGAxLjAsBgNVBAMMJVdhcnJl
biBLdW1hcmkncyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxCzAJBgNVBAYTAlVTMSEwHwYJKoZIhvcN
AQkBFhJ3a3VtYXJpQGdvb2dsZS5jb20CAQIwDQYJKoZIhvcNAQEBBQAEgYBvDh2hsLCckQ22iX8x
FAMXPDZ29etyERA+dA7YPY3CkZxIw2ezINJPO1G0kTuhziWIzT7WnLvDz7SPO9zBlDJMWEXfpfjl
NqJ1dUtdPqdMY0zb42k0l94Si3YfBHMx1VLIGocRt5RmZDW8/BPDVHnz4/cJi6h2pcH9Xk9FGogg
oAAAAAAAAA==
--Apple-Mail-97--475100251--
