[68800] in North American Network Operators' Group
Re: Firewall opinions wanted please
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Mar 16 22:34:21 2004
From: "Steven M. Bellovin" <smb@research.att.com>
To: Valdis.Kletnieks@vt.edu
Cc: Nicole <nmh@daemontech.com>, nanog@nanog.org
In-Reply-To: Your message of "Tue, 16 Mar 2004 21:38:36 EST."
<200403170238.i2H2caAA006011@turing-police.cc.vt.edu>
Date: Tue, 16 Mar 2004 22:33:02 -0500
Errors-To: owner-nanog-outgoing@merit.edu
In message <200403170238.i2H2caAA006011@turing-police.cc.vt.edu>, Valdis.Kletni
eks@vt.edu writes:
>
>--==_Exmh_2134986584P
>Content-Type: text/plain; charset=us-ascii
>
>On Tue, 16 Mar 2004 14:27:16 PST, Nicole <nmh@daemontech.com> said:
>
>> From what I have heard a proxy firewall would be best?
>
>I'll go out on a limb here and say that the actual make and model of the
>firewall don't matter anywhere *near* as much as a proper understanding on the
>client's part of what a firewall can and can't do.
You're not going out on a limb; you're absolutely right, and I've been
saying that for years. I'll quote myself:
Although firewalls are a useful part of a network security
program, they are not a panacea. When managed properly, they
are useful, but they will not do everything. If
firewalls are used improperly, the only thing they buy you
is a false sense of security.
Beyond that, different security policies have a much greater impact
than different brands or types of firewalls.
--Steve Bellovin, http://www.research.att.com/~smb
