[68842] in North American Network Operators' Group
Re: Firewall opinions wanted please
daemon@ATHENA.MIT.EDU (Bruce Pinsky)
Wed Mar 17 15:45:18 2004
Date: Wed, 17 Mar 2004 12:44:06 -0800
From: Bruce Pinsky <bep@whack.org>
Reply-To: bep@whack.org
To: erik@we-dare.net
Cc: Petri Helenius <pete@he.iki.fi>, Rachael Treu <rara@navigo.com>,
Gregory Taylor <greg@xwb.com>, nanog@merit.edu
In-Reply-To: <1079554953.1573.23.camel@styxdev>
Errors-To: owner-nanog-outgoing@merit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Erik Haagsman wrote:
| On Wed, 2004-03-17 at 21:02, Petri Helenius wrote:
|
|>No, the applications should accept only authorized connections. If that
|>would be the case, there would be no need to filter at packet level.
|
|
| No, since this would be assuming that each application is perfect and
| there's no such thing as buffer overflows and other software bugs
| (including those in authentication routines). A firewall is an extra
| line of defence in preventing malicious packets from reaching the
| destination app and the more people have one the better (although I'm
| not sure whether grandma would be too bothered)
| It's not bulletproof (and could potentially contain a gut itself) but it
| provides additional security, regardless of authenticaion of
| connections.
|
|
|
And I think you have hit it right on the head...another line of defense.
Everything I've ever read about security (network or otherwise) suggests
that a layered approach increases effectiveness. I certainly don't trust a
firewall appliance as my only security device, so I also do prudent things
like disable ports and applications that are not in use on my network and
enforce authentication and authorization for access to legitimate services.
- --
=========
bep
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFAWLiWE1XcgMgrtyYRAjh+AJ9Cio8w/iPuT+EfUK26ku2RdDl9JwCgrN9P
Qll6/VX0Z4xVBRf+G0S5HXA=
=uFwS
-----END PGP SIGNATURE-----
