[45970] in North American Network Operators' Group
Re: Telco's write best practices for packet switching networks
daemon@ATHENA.MIT.EDU (Eric Brandwine)
Wed Mar 6 09:30:30 2002
To: Ron da Silva <ron@aol.net>
Cc: Sean Donelan <sean@donelan.com>, nanog@merit.edu
From: Eric Brandwine <ericb@UU.NET>
Date: 06 Mar 2002 14:25:53 +0000
In-Reply-To: Ron da Silva's message of "Wed, 6 Mar 2002 08:45:59 -0500"
Message-ID: <gu9ofi1rcwe.fsf@rampart.argfrp.us.uu.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: owner-nanog-outgoing@merit.edu
>>>>> "rds" == Ron da Silva <ron@aol.net> writes:
>> Cool, who has an OC-192 firewall on their control elements? What is
>> a control element, is that the same as a router or is that a signaling
>> gateway?
rds> Hmm...gotta say it (again). Of course oc192/10ge firewalls are not
rds> currently widely deployed (aka not a best practice), but they should be!
rds> Of course, folks will argue that you have to pay a lot of extra $$
rds> to make that a reality...kind of like how auto makers argue that you
rds> should pay a lot of extra $$ for the GPS receiver in your car (which
rds> does not COST a lot of extra $$).
Firewalls are good things for general purpose networks. When you've
got a bunch of clueless employees, all using Windows shares, NFS, and
all sorts of nasty protocols, a firewall is best practice. Rather
than educate every single one of them as to the security implications
of their actions, just insulate them, and do what you can behind the
firewall.
When you've got a deployed server, run by clueful people, dedicated to
a single task, firewalls are not the way to go. You've got a DNS
server. What are you going to do with a firewall? Permit tcp/53 and
udp/53 from the appropriate net blocks. Where's the protection? Turn
off unneeded services, chose a resilient and flame tested daemon, and
watch the patchlist for it.
ericb
--
Eric Brandwine | It is hard to believe that a man is telling the truth
UUNetwork Security | when you know that you would lie if you were in his
ericb@uu.net | place.
+1 703 886 6038 | - H. L. Mencken
Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E
