On 7-May-2008, at 17:07:06, Deepak Jain wrote:
Many non-SP IT folks think they understand TCP, grudgingly accept UDP for DNS from external sources and think everything else is bollocks. Many *might* have a fit if they saw Microsoft accepting ICMPs because that seems inconsistent with their knowledge of turn- the-knob network security. To their view, their Linksys/Netgear/ whathaveyou COTS firewalls block everything too.
I don't think I'm exaggerating here.
No, you are not. I have seen the same from "firewall engineers" at large companies, people who, supposedly, have done "network security" for years. Even after showing them numerous Web sites detailing current best practices, especially Rob Thomas's fine site, these folks would not change their practices. Some days it is hard to not give in to the "I give up" feelings.