North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Telco's write best practices for packet switching networks
- From: Christopher L. Morrow
- Date: Wed Mar 06 10:08:00 2002
On Wed, 6 Mar 2002, Ron da Silva wrote:
> On Wed, Mar 06, 2002 at 09:41:55AM -0500, Steven M. Bellovin wrote:
> > In message <firstname.lastname@example.org>, Eric Brandwine writes:
> > >
> > >Firewalls are good things for general purpose networks. When you've
> > >got a bunch of clueless employees, all using Windows shares, NFS, and
> > >all sorts of nasty protocols, a firewall is best practice. Rather
> > >than educate every single one of them as to the security implications
> > >of their actions, just insulate them, and do what you can behind the
> > >firewall.
> > >
> > >When you've got a deployed server, run by clueful people, dedicated to
> > >a single task, firewalls are not the way to go. You've got a DNS
> > >server. What are you going to do with a firewall? Permit tcp/53 and
> > >udp/53 from the appropriate net blocks. Where's the protection? Turn
> > >off unneeded services, chose a resilient and flame tested daemon, and
> > >watch the patchlist for it.
> > Precisely. You *may* need a packet filter to block things like SNMP
> > (to name a recent case in point), but a general-purpose firewall is
> > generally the wrong solution for appliance computers.
There is no need to drop traffic for things that aren't listening. Eric's
point was you deploy your fancy-dan mail server with ONLY 22 and 25
listening, you know that's all that's listening and your
daily/hourly/weekly/monthly automated audits tell you this continually and
alert when there are problems/deviations. So, why filter anything in this
case? It's wasted bandwidth/processing power.
> Hmm...but certainly part of the right solution for a general "appliance"
If you run a little network where you know 'precisely' the ins and outs
there isn't any reason NOT to have a firewall, IMHO. At the very least for
logging/auditting info it's a must. For a backbone filtering is another
story entirely. Filtering backbone equipment for it's protection is also a
completely different topic...