In message <200403172301.i2HN1o920765@karoshi.com>, bill writes:
"the primary purpose of a firewall is to keep the bad guys away from the buggy code. Firewalls are the networks' response to the host security problem."
a pretty good sound bite. :)
Thanks -- I've been using that line for about 10 years, and I haven't gotten tired of it yet....
Add to that that you don't really know what's safe or unsafe, and that you have some services that are convenient for insiders but don't have adequate, scalable authentication on which you can build an authorization mechanism, and you see why firewalls are useful.
Perfect? No, of course not. A good idea? Absolutely.
Er... perhaps.
Who is configuring the "firewall"? What are its capabilities? How easy will it be to deploy new services? I, as an enduser, am abdicating most of my responsibility to or it is being hijacked by one or more network service providers. Ken is right.
I don't have time to participate in this thread any more tonight -- tomorrow is the biweekly IESG call, and I still have several documents to review -- but I never said that ISPs should implement firewalls. In fact, in general that's a bad idea. Firewalls are the instantiation of a security policy; I don't want my ISP telling me what my security policy is or should be. To be sure, there is a market for a value-added ISP service that provides assorted types of filtering. But that's the sort of thing that's best done by consenting adults. More later.... --Steve Bellovin, http://www.research.att.com/~smb