Re: Telco's write best practices for packet switching networks
"rds" == Ron da Silva <ron@aol.net> writes:
Cool, who has an OC-192 firewall on their control elements? What is a control element, is that the same as a router or is that a signaling gateway?
rds> Hmm...gotta say it (again). Of course oc192/10ge firewalls are not rds> currently widely deployed (aka not a best practice), but they should be! rds> Of course, folks will argue that you have to pay a lot of extra $$ rds> to make that a reality...kind of like how auto makers argue that you rds> should pay a lot of extra $$ for the GPS receiver in your car (which rds> does not COST a lot of extra $$). Firewalls are good things for general purpose networks. When you've got a bunch of clueless employees, all using Windows shares, NFS, and all sorts of nasty protocols, a firewall is best practice. Rather than educate every single one of them as to the security implications of their actions, just insulate them, and do what you can behind the firewall. When you've got a deployed server, run by clueful people, dedicated to a single task, firewalls are not the way to go. You've got a DNS server. What are you going to do with a firewall? Permit tcp/53 and udp/53 from the appropriate net blocks. Where's the protection? Turn off unneeded services, chose a resilient and flame tested daemon, and watch the patchlist for it. ericb -- Eric Brandwine | It is hard to believe that a man is telling the truth UUNetwork Security | when you know that you would lie if you were in his ericb@uu.net | place. +1 703 886 6038 | - H. L. Mencken Key fingerprint = 3A39 2C2F D5A0 FC7C 5F60 4118 A84A BD5D 59D7 4E3E
When you've got a deployed server, run by clueful people, dedicated to a single task, firewalls are not the way to go.
Probably. And I would certainly rate "clueful people" _far_ above a firewall when it comes times to prioritize your security needs and resources.
What are you going to do with a firewall?
Compared to your average application, firewalls often have -better logging (more detail, adjustable, not on the vulnerable device); -vendors focused on security; -add-ons like IDS that can benefit from the superior logs; -firewall admins focused on security and who do security every day; -better response capability for unplanned/unanticipated security issues.
chose a resilient and flame tested daemon, and watch the patchlist for it.
You've never seen a security vendor come out with a patch or workaround before an application vendor? -- | Opinions are _mine_, facts Rob Quinn | | are facts. (703)689-6582 | | rquinn @ sec.sprint.net | | Sprint Corporate Security | | Computer Incident Response Team |
participants (2)
-
Eric Brandwine
-
Rob Quinn