[45972] in North American Network Operators' Group
Re: Telco's write best practices for packet switching networks
daemon@ATHENA.MIT.EDU (Ron da Silva)
Wed Mar 6 09:48:23 2002
Date: Wed, 6 Mar 2002 09:40:25 -0500
From: Ron da Silva <ron@aol.net>
To: nanog@merit.edu
Message-ID: <20020306094025.G11505@aol.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020306144156.06A4F7B4B@berkshire.research.att.com>; from smb@research.att.com on Wed, Mar 06, 2002 at 09:41:55AM -0500
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, Mar 06, 2002 at 09:41:55AM -0500, Steven M. Bellovin wrote:
>
> In message <gu9ofi1rcwe.fsf@rampart.argfrp.us.uu.net>, Eric Brandwine writes:
>
> >
> >Firewalls are good things for general purpose networks. When you've
> >got a bunch of clueless employees, all using Windows shares, NFS, and
> >all sorts of nasty protocols, a firewall is best practice. Rather
> >than educate every single one of them as to the security implications
> >of their actions, just insulate them, and do what you can behind the
> >firewall.
> >
> >When you've got a deployed server, run by clueful people, dedicated to
> >a single task, firewalls are not the way to go. You've got a DNS
> >server. What are you going to do with a firewall? Permit tcp/53 and
> >udp/53 from the appropriate net blocks. Where's the protection? Turn
> >off unneeded services, chose a resilient and flame tested daemon, and
> >watch the patchlist for it.
>
> Precisely. You *may* need a packet filter to block things like SNMP
> (to name a recent case in point), but a general-purpose firewall is
> generally the wrong solution for appliance computers.
Hmm...but certainly part of the right solution for a general "appliance"
network.
-ron
