Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Firewall opinions wanted please

  • From: Alexei Roudnev
  • Date: Wed Mar 17 14:26:02 2004

Not _firewalling_, but access limitation. Grandma can live with PNAT
router - she do not need any firewall, if she do not grant external access
to anything. She can live with Windows  _default deny_ setting.  If grandma
have extra money, it is better to purchase anty-virus.

Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest
into security (bad  thing for us, I know!) - because she lost '$0' in case
of intrusion... It explains shidespread of modern viruses, spam-trojans etc
(they cost '$0' to infected households in many cases).

It is as Wireless access - my friend have secured access point, but when I
tried, I could use unsecured access points of 2 his neighbourths.
They know abouth insecurity - but they do not lost anything, so they do not
want to spend $0.01 to improve it. And unfortunately, I can not blame them.

> On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the
effect of:
> > > > The best option I guess is to figure out how important it is for you
to have a firewall,
> > >
> > > _Everyone_ (network connected) should have a firewall.  My grandma
> > > have a firewall.  Nicole, holding dominion over this business network
> > > its critical infrastructure, should _definitely_ have a firewall.  ;)
> > >
> > Why?  When did the end2end nature of the Internet suddenly
> > sprout these mutant bits of extra complexity that reduce
> > the overall security of the 'net?
> >
> > Two questions asked, Two answers are sufficent.
> Nope.  One will do it.  The day the first remote exploit or condition,
> in protocol or application, that could potentially have given rise to such
> and exploit made it possible for a user not in your control to gain
> of your box(en), firewalling became necessary.  Then Internet is not
> end-to-end beyond pure fundamentals; it's more end-to-many-ends.  And the
> notion of "end-to-end" requires preservation of a connection between 2
> consenting hosts, and preservation includes securement of that connection
> against destructive mechanisms, which includes the subversive techniques
> intercetptions commonly associated with network security.
> Denial of Service is as much a threat to availability and network
> functionality as is power outage if it occurs.  Before this turns to a
> security freaks want to screw around with my network and don't care about
> availability..."
> Firewalls are logical interventions, costing as little as some processor
> overhead.  Dedicated appliances are only one deployment.  Filters on
> routers also qualify as firewalls.  Am I correct in understanding that you
> feel edge filtering is mutant lunacy and unnecessary complexity?
> Regarding dedicated firewalls, please see Mr. Bellovin's previous post
> regarding appropriate and competent administration.  The lack thereof
> presents the complication, not the countermeasure itself.
> As for your assertion that firewalls "reduce the overall security of the
> 'net."...can you please elaborate on that, as well?  Other factions
> argue that it's the other team refusing to lock their doors at night that
> are perpetuating the flux of bad behavior as a close second to the
> and infected.
> --ra
> -- 
> k. rachael treu, CISSP
> ..quis costodiet ipsos custodes?..
> >
> > --bill

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.