[45971] in North American Network Operators' Group
Re: Telco's write best practices for packet switching networks
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Mar 6 09:43:01 2002
From: "Steven M. Bellovin" <smb@research.att.com>
To: Eric Brandwine <ericb@UU.NET>
Cc: Ron da Silva <ron@aol.net>, Sean Donelan <sean@donelan.com>,
nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Wed, 06 Mar 2002 09:41:55 -0500
Message-Id: <20020306144156.06A4F7B4B@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <gu9ofi1rcwe.fsf@rampart.argfrp.us.uu.net>, Eric Brandwine writes:
>
>Firewalls are good things for general purpose networks. When you've
>got a bunch of clueless employees, all using Windows shares, NFS, and
>all sorts of nasty protocols, a firewall is best practice. Rather
>than educate every single one of them as to the security implications
>of their actions, just insulate them, and do what you can behind the
>firewall.
>
>When you've got a deployed server, run by clueful people, dedicated to
>a single task, firewalls are not the way to go. You've got a DNS
>server. What are you going to do with a firewall? Permit tcp/53 and
>udp/53 from the appropriate net blocks. Where's the protection? Turn
>off unneeded services, chose a resilient and flame tested daemon, and
>watch the patchlist for it.
Precisely. You *may* need a packet filter to block things like SNMP
(to name a recent case in point), but a general-purpose firewall is
generally the wrong solution for appliance computers.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
