----- Original Message -----
From: "Valdis Kletnieks" <Valdis.Kletnieks@vt.edu>
On the other hand, since a firewall's job is to stop packets you don't want,
One of Marcus Ranum's "5 Stupidest Security Blunders" - "enumerating badness". A firewall's job isn't to stop unwanted packets, it's to pass only wanted packets.
From 30,000ft those are equivalent.
When you get down below 5000ft, it starts to matter which approach you take to it. There are lots and lots of people, though, whose exposure to firewalls is "a set of rules you drop over a router" -- in consequence of which there are a lot of *firewalls* that are designed that way. You're correct in implying that that's strategically bad, but both components of that paragraph impact the issue.
if it stops doing it's just as a firewall, it's likely to keep on doing it's other job: passing packets.
As a result, a firewall that fails open rather than closed is mis-designed.
And if you're deploying a firewall and don't know if the failure mode is open or closed, you probably get what you deserve when it fails.
Can't argue with that at all. Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274