[68866] in North American Network Operators' Group
Re: Firewall opinions wanted please
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Wed Mar 17 19:29:38 2004
From: "Steven M. Bellovin" <smb@research.att.com>
To: bill <bmanning@karoshi.com>
Cc: pete@he.iki.fi (Petri Helenius), rara@navigo.com (Rachael Treu),
greg@xwb.com (Gregory Taylor), nanog@merit.edu
In-Reply-To: Your message of "Wed, 17 Mar 2004 15:01:50 PST."
<200403172301.i2HN1o920765@karoshi.com>
Date: Wed, 17 Mar 2004 19:28:57 -0500
Errors-To: owner-nanog-outgoing@merit.edu
In message <200403172301.i2HN1o920765@karoshi.com>, bill writes:
>> "the primary purpose of a firewall is to keep the bad
>> guys away from the buggy code. Firewalls are the networks' response to
>> the host security problem."
>
> a pretty good sound bite. :)
Thanks -- I've been using that line for about 10 years, and I haven't gotten
tired of it yet....
>
>> Add to that that you don't really know what's
>> safe or unsafe, and that you have some services that are convenient for
>> insiders but don't have adequate, scalable authentication on which you
>> can build an authorization mechanism, and you see why firewalls are
>> useful.
>>
>> Perfect? No, of course not. A good idea? Absolutely.
>
> Er... perhaps.
>
> Who is configuring the "firewall"? What are its capabilities?
> How easy will it be to deploy new services? I, as an enduser,
> am abdicating most of my responsibility to or it is being hijacked
> by one or more network service providers. Ken is right.
I don't have time to participate in this thread any more tonight --
tomorrow is the biweekly IESG call, and I still have several documents
to review -- but I never said that ISPs should implement firewalls. In
fact, in general that's a bad idea. Firewalls are the instantiation of
a security policy; I don't want my ISP telling me what my security policy
is or should be.
To be sure, there is a market for a value-added ISP service that
provides assorted types of filtering. But that's the sort of thing
that's best done by consenting adults. More later....
--Steve Bellovin, http://www.research.att.com/~smb
