[68823] in North American Network Operators' Group
Re: Firewall opinions wanted please
daemon@ATHENA.MIT.EDU (bill)
Wed Mar 17 12:58:15 2004
From: bill <bmanning@karoshi.com>
To: rara@navigo.com (Rachael Treu)
Date: Wed, 17 Mar 2004 09:57:35 -0800 (PST)
Cc: bmanning@karoshi.com (bill), nanog@merit.edu
In-Reply-To: <20040317175733.GD8114@navigo.com> from "Rachael Treu" at Mar 17, 2004 11:57:33 AM
Errors-To: owner-nanog-outgoing@merit.edu
>
>
> On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of:
> > > > The best option I guess is to figure out how important it is for you to have a firewall,
> > >
> > > _Everyone_ (network connected) should have a firewall. My grandma should
> > > have a firewall. Nicole, holding dominion over this business network and
> > > its critical infrastructure, should _definitely_ have a firewall. ;)
> > >
> > Why? When did the end2end nature of the Internet suddenly
> > sprout these mutant bits of extra complexity that reduce
> > the overall security of the 'net?
> >
> > Two questions asked, Two answers are sufficent.
>
> Nope. One will do it. The day the first remote exploit or condition,
> in protocol or application, that could potentially have given rise to such
> and exploit made it possible for a user not in your control to gain control
> of your box(en), firewalling became necessary.
Ah, so back in 1979. Three (well two and a half, roughly)
decades between making fundamental design choices on how
protocols vs folks trying to do the right thing in the wrong
place.
> Then Internet is not exactly
> end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the
> notion of "end-to-end" requires preservation of a connection between 2
> consenting hosts, and preservation includes securement of that connection
> against destructive mechanisms, which includes the subversive techniques and
> intercetptions commonly associated with network security.
Here we have some disagreement. Network Security is protecting
the infrastructures ability to deliver bits and has nothing to
do w/ end systems per se.
> Firewalls are logical interventions, costing as little as some processor
> overhead. Dedicated appliances are only one deployment. Filters on
> routers also qualify as firewalls. Am I correct in understanding that you
> feel edge filtering is mutant lunacy and unnecessary complexity?
Please include the OPEX costs. And you have ignored the
IAB plea for having filtering done as a temporary expdient
as a way to encourage new application/feature development.
And yes, the need to perform edge filtering is symtematic of
a cultural problem. We have sociopaths in the community that
drive normally sane people to do perverse things.
So yes, mutant lunacy and unDESIRABLE complexity.
> Regarding dedicated firewalls, please see Mr. Bellovin's previous post
> regarding appropriate and competent administration. The lack thereof
> presents the complication, not the countermeasure itself.
Amen. See above. From a systems perspective, adding yet
one more level of management/administration decreases the
efficentcy and robustness of the overall system. From a
"security" perspective, another attack point!
> As for your assertion that firewalls "reduce the overall security of the
> 'net."...can you please elaborate on that, as well? Other factions might/do
> argue that it's the other team refusing to lock their doors at night that
> are perpetuating the flux of bad behavior as a close second to the ignorant
> and infected.
See above.
>
> --ra
>
> --
> k. rachael treu, CISSP rara@navigo.com
> ..quis costodiet ipsos custodes?..
> >
> > --bill
>
>
