In message <Pine.GSO.4.33.0203061459240.3098-100000@rampart.argfrp.us.uu.net>, "Christopher L. Morrow" writes:
On Wed, 6 Mar 2002, Ron da Silva wrote:
On Wed, Mar 06, 2002 at 09:41:55AM -0500, Steven M. Bellovin wrote:
In message <gu9ofi1rcwe.fsf@rampart.argfrp.us.uu.net>, Eric Brandwine writ
es:
Firewalls are good things for general purpose networks. When you've got a bunch of clueless employees, all using Windows shares, NFS, and all sorts of nasty protocols, a firewall is best practice. Rather than educate every single one of them as to the security implications of their actions, just insulate them, and do what you can behind the firewall.
When you've got a deployed server, run by clueful people, dedicated to a single task, firewalls are not the way to go. You've got a DNS server. What are you going to do with a firewall? Permit tcp/53 and udp/53 from the appropriate net blocks. Where's the protection? Turn off unneeded services, chose a resilient and flame tested daemon, and watch the patchlist for it.
Precisely. You *may* need a packet filter to block things like SNMP (to name a recent case in point), but a general-purpose firewall is generally the wrong solution for appliance computers.
There is no need to drop traffic for things that aren't listening. Eric's point was you deploy your fancy-dan mail server with ONLY 22 and 25 listening, you know that's all that's listening and your daily/hourly/weekly/monthly automated audits tell you this continually and alert when there are problems/deviations. So, why filter anything in this case? It's wasted bandwidth/processing power.
I was agreeing with Eric's point. I've been saying this for years. My comment about the packet filter was to deal with services that are needed for some internal purposes, but for some reason can't protect themselves. Right now, that's snmp -- you may have snmpd running on your mail server, but given the recent CERT advisory you need to keep the bad guys away from it. (Yes, you should install fixed code -- but given how many components were affected by that advisory, it's quite obvious that no one has had time to test the fixes properly.) --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com