[45973] in North American Network Operators' Group
Re: Telco's write best practices for packet switching networks
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Wed Mar 6 10:05:40 2002
Date: Wed, 6 Mar 2002 15:04:00 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Ron da Silva <ron@aol.net>
Cc: <nanog@merit.edu>
In-Reply-To: <20020306094025.G11505@aol.net>
Message-ID: <Pine.GSO.4.33.0203061459240.3098-100000@rampart.argfrp.us.uu.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Wed, 6 Mar 2002, Ron da Silva wrote:
>
> On Wed, Mar 06, 2002 at 09:41:55AM -0500, Steven M. Bellovin wrote:
> >
> > In message <gu9ofi1rcwe.fsf@rampart.argfrp.us.uu.net>, Eric Brandwine writes:
> >
> > >
> > >Firewalls are good things for general purpose networks. When you've
> > >got a bunch of clueless employees, all using Windows shares, NFS, and
> > >all sorts of nasty protocols, a firewall is best practice. Rather
> > >than educate every single one of them as to the security implications
> > >of their actions, just insulate them, and do what you can behind the
> > >firewall.
> > >
> > >When you've got a deployed server, run by clueful people, dedicated to
> > >a single task, firewalls are not the way to go. You've got a DNS
> > >server. What are you going to do with a firewall? Permit tcp/53 and
> > >udp/53 from the appropriate net blocks. Where's the protection? Turn
> > >off unneeded services, chose a resilient and flame tested daemon, and
> > >watch the patchlist for it.
> >
> > Precisely. You *may* need a packet filter to block things like SNMP
> > (to name a recent case in point), but a general-purpose firewall is
> > generally the wrong solution for appliance computers.
There is no need to drop traffic for things that aren't listening. Eric's
point was you deploy your fancy-dan mail server with ONLY 22 and 25
listening, you know that's all that's listening and your
daily/hourly/weekly/monthly automated audits tell you this continually and
alert when there are problems/deviations. So, why filter anything in this
case? It's wasted bandwidth/processing power.
>
> Hmm...but certainly part of the right solution for a general "appliance"
> network.
>
If you run a little network where you know 'precisely' the ins and outs
there isn't any reason NOT to have a firewall, IMHO. At the very least for
logging/auditting info it's a must. For a backbone filtering is another
story entirely. Filtering backbone equipment for it's protection is also a
completely different topic...
-Chris
