[46014] in North American Network Operators' Group
Re: Telco's write best practices for packet switching networks
daemon@ATHENA.MIT.EDU (Sean Donelan)
Thu Mar 7 16:46:08 2002
Date: Thu, 7 Mar 2002 16:37:51 -0500 (EST)
From: Sean Donelan <sean@donelan.com>
To: "Steven M. Bellovin" <smb@research.att.com>
Cc: "Christopher L. Morrow" <chris@UU.NET>,
Ron da Silva <ron@aol.net>, <nanog@merit.edu>
In-Reply-To: <20020306152939.ADE017B4B@berkshire.research.att.com>
Message-ID: <Pine.GSO.4.40.0203071618090.25551-100000@clifden.donelan.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
My comment was originally prompted by the meeting minutes which
reported on the survey data showing that 100% of carriers are implementing
firewalls in their gateways. The 100% is what caught my eye. As the
topic comes up in various places, large ISPs repeatedly say they are
unable to implement filters or packet screening on their high-speed
links such as at peering points. So the self-reported 100% implementation
of screening and filtering firewalls at gateways didn't seem to jive
with my understanding of the limitations faced by large ISPs.
Firewalls can be a useful tool in the security engineer's toolbox. But
they get misused a lot. I don't believe security engineers are better
programmers. If there was a class of programmers in the world that didn't
make mistakes, I would hire them to write the applications. When the
firewall is more complex than the application server it is "protecting"
which is likely to have more mistakes?
