[68884] in North American Network Operators' Group
Re: Firewall opinions wanted please
daemon@ATHENA.MIT.EDU (Alexei Roudnev)
Thu Mar 18 01:18:01 2004
From: "Alexei Roudnev" <alex@relcom.net>
To: "Steven M. Bellovin" <smb@research.att.com>,
"Petri Helenius" <pete@he.iki.fi>
Cc: "Rachael Treu" <rara@navigo.com>,
"Gregory Taylor" <greg@xwb.com>, <nanog@merit.edu>
Date: Wed, 17 Mar 2004 22:17:17 -0800
Errors-To: owner-nanog-outgoing@merit.edu
>
> No. Quite apart from the fact that you mean "authorized", not
> "authenticated", the primary purpose of a firewall is to keep the bad
> guys away from the buggy code. Firewalls are the networks' response to
> the host security problem.
No. let's imagine, that I have 4 hosts, without ANY security problems in
software, and I'd like to provide WEB service. Firewall
protects other services from outside access. Without it, you can slogin to
me, if you know my password, even if host have not any bugs. (Of course,
SecureID, hand scan etc... decreases a need for this.)
Second. Not ANY network require FireWall. If network (grandma) do not allow
any ACCESS fron Internet (grandma's netword do not allow access because it
does not expose any IP device to outside network, using NAT for outgoing
connections), it can live withourt any ACl and any firewall attributes - and
be as secure as production network with expansive firewall(s).
Key word is _ACCESS_. No ACCESS - no FireWall (cut wires). One Way Access -
many different devices plays role of firewall (PNAT translator, for example,
makes 99.9% of the work). More ACCESS required - mode COMPLICATED firewalls
are required.
So, key word is not PROTECTION but ACCESS.
