[46015] in North American Network Operators' Group
Re: Telco's write best practices for packet switching networks
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Thu Mar 7 16:52:49 2002
From: "Steven M. Bellovin" <smb@research.att.com>
To: Sean Donelan <sean@donelan.com>
Cc: "Christopher L. Morrow" <chris@UU.NET>,
Ron da Silva <ron@aol.net>, nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 07 Mar 2002 16:50:56 -0500
Message-Id: <20020307215056.8D3D57B4B@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <Pine.GSO.4.40.0203071618090.25551-100000@clifden.donelan.com>, Sean
Donelan writes:
>
>My comment was originally prompted by the meeting minutes which
>reported on the survey data showing that 100% of carriers are implementing
>firewalls in their gateways. The 100% is what caught my eye. As the
>topic comes up in various places, large ISPs repeatedly say they are
>unable to implement filters or packet screening on their high-speed
>links such as at peering points. So the self-reported 100% implementation
>of screening and filtering firewalls at gateways didn't seem to jive
>with my understanding of the limitations faced by large ISPs.
Yup.
>
>Firewalls can be a useful tool in the security engineer's toolbox. But
>they get misused a lot. I don't believe security engineers are better
>programmers. If there was a class of programmers in the world that didn't
>make mistakes, I would hire them to write the applications. When the
>firewall is more complex than the application server it is "protecting"
>which is likely to have more mistakes?
>
Yes and no. I don't think that security programmers are any better
than application programmers. But they might be trained differently.
For example, I suspect that most application programmers have never
heard of format string vulnerabilities. I would hope that most
security professionals have.
But you're absolutely right about the complexity of many of today's
firewalls -- I've been complaining about that for years.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
