On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the effect of:
The best option I guess is to figure out how important it is for you to have a firewall,
_Everyone_ (network connected) should have a firewall. My grandma should have a firewall. Nicole, holding dominion over this business network and its critical infrastructure, should _definitely_ have a firewall. ;)
Why? When did the end2end nature of the Internet suddenly sprout these mutant bits of extra complexity that reduce the overall security of the 'net?
Two questions asked, Two answers are sufficent.
Nope. One will do it. The day the first remote exploit or condition, in protocol or application, that could potentially have given rise to such and exploit made it possible for a user not in your control to gain control of your box(en), firewalling became necessary.
Ah, so back in 1979. Three (well two and a half, roughly) decades between making fundamental design choices on how protocols vs folks trying to do the right thing in the wrong place.
Then Internet is not exactly end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the notion of "end-to-end" requires preservation of a connection between 2 consenting hosts, and preservation includes securement of that connection against destructive mechanisms, which includes the subversive techniques and intercetptions commonly associated with network security.
Here we have some disagreement. Network Security is protecting the infrastructures ability to deliver bits and has nothing to do w/ end systems per se.
Firewalls are logical interventions, costing as little as some processor overhead. Dedicated appliances are only one deployment. Filters on routers also qualify as firewalls. Am I correct in understanding that you feel edge filtering is mutant lunacy and unnecessary complexity?
Please include the OPEX costs. And you have ignored the IAB plea for having filtering done as a temporary expdient as a way to encourage new application/feature development. And yes, the need to perform edge filtering is symtematic of a cultural problem. We have sociopaths in the community that drive normally sane people to do perverse things. So yes, mutant lunacy and unDESIRABLE complexity.
Regarding dedicated firewalls, please see Mr. Bellovin's previous post regarding appropriate and competent administration. The lack thereof presents the complication, not the countermeasure itself.
Amen. See above. From a systems perspective, adding yet one more level of management/administration decreases the efficentcy and robustness of the overall system. From a "security" perspective, another attack point!
As for your assertion that firewalls "reduce the overall security of the 'net."...can you please elaborate on that, as well? Other factions might/do argue that it's the other team refusing to lock their doors at night that are perpetuating the flux of bad behavior as a close second to the ignorant and infected.
See above.
--ra
-- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
--bill