On Wed, Mar 17, 2004 at 09:48:30AM -0800, Kevin Oberman said something to the effect of: ..snip snip..
I dislike firewalls for many applications, although I have a Sonic Wall on my cable modem. On the whole, they lead to false belief that firewalls really make you safe. They also block many interesting applications. Things like H.323 conferencing are made vastly more complex by firewalls with no easy or canned work-arounds.
H.323 is its own complex, unweildy mutant (though a lovely one at that), and it is unfair to throw the baby out with the bathwater in that case. Something like saying that it's rough configure MPLS on your cable modem at home so we should do away with those. Configured properly, firewalls handle H.323 just fine. As for false beliefs... Seat belts aren't guaranteed to save your life if you wrap your car around a tree, but they improve the chances that you won't pierce the windshield with your face. That lid on your coffee cup has a hole in it so you can drink out of it, but that can spill, too.. Still...which way would you rather have that cup--lidded or lidless-- when it goes flying out of your cupholder and into your lap? A stoplight doesn't actually physically stop traffic. Having a green light in your direction doesn't actually guarantee that the intersecting traffic won't plow into you. Sometimes parachutes don't open properly parachute not open properly, but can you imagine if people gave up skydiving altogether, or skydived without them, refusing to be lulled into a false sense of safety? Hrm. This now becomes an issue of adequate education and precaution. It's not the fault of the technology if its users are ill-informed...
One large research site I work closely with has directly opted for IDS with a bad attitude (love that description) which has successfully blocked many intrusion and DOS attempts with no major failures. Slammer did overwhelm it, but it did the same for most everything.
IDS that reacts is, by classical definition, firewalling. The IDS component merely detects the anomaly. To react is a firewall function. Does IDS not smack of that false sense of security you mentioned? If admins refuse to acknowledge attack conditions because the IDS didn't squawk, does that guarantee that the network is totally peaceful?
The end-to-end nature of the net is really, really important, but is being blocked more and more by those who thing the net is web browsing and e-mail clients and that everything else is simply an annoyance. This attitude is hamstringing network development already and may end up turning the commercial Internet into a permanently limited tool with fewer real capabilities that the ARPANET had before TCP/IP replaced NCP.
This is a very valid concern. Unfortunately, aside from those in pure academia, this is the bread and butter for most of us. The HTML-for-the-masses and email-happy vox populi are the ones subscribing to providers and buying bandwidth that we are trying to enable.
Grandma may need a firewall. (My sister DEFINITELY needs one.) But not all network connections need or will benefit from a firewall. And many system will exist with significant security flaws because the owners believe that the firewall takes care of everything.
As do may owners that believe their Microsoft boxes do everything. Or nothing. Or that nothing needs to be done to their MS boxes... *, --ra -- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
-- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634