North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Firewall opinions wanted please
- From: Alexei Roudnev
- Date: Wed Mar 17 14:26:02 2004
Not _firewalling_, but access limitation. Grandma can live with PNAT
router - she do not need any firewall, if she do not grant external access
to anything. She can live with Windows _default deny_ setting. If grandma
have extra money, it is better to purchase anty-virus.
Moreover. Just for _ghrandma_, it can be cheaper do nothing than to invest
into security (bad thing for us, I know!) - because she lost '$0' in case
of intrusion... It explains shidespread of modern viruses, spam-trojans etc
(they cost '$0' to infected households in many cases).
It is as Wireless access - my friend have secured access point, but when I
tried, I could use unsecured access points of 2 his neighbourths.
They know abouth insecurity - but they do not lost anything, so they do not
want to spend $0.01 to improve it. And unfortunately, I can not blame them.
> On Wed, Mar 17, 2004 at 08:54:57AM -0800, bill said something to the
> > > > The best option I guess is to figure out how important it is for you
to have a firewall,
> > >
> > > _Everyone_ (network connected) should have a firewall. My grandma
> > > have a firewall. Nicole, holding dominion over this business network
> > > its critical infrastructure, should _definitely_ have a firewall. ;)
> > >
> > Why? When did the end2end nature of the Internet suddenly
> > sprout these mutant bits of extra complexity that reduce
> > the overall security of the 'net?
> > Two questions asked, Two answers are sufficent.
> Nope. One will do it. The day the first remote exploit or condition,
> in protocol or application, that could potentially have given rise to such
> and exploit made it possible for a user not in your control to gain
> of your box(en), firewalling became necessary. Then Internet is not
> end-to-end beyond pure fundamentals; it's more end-to-many-ends. And the
> notion of "end-to-end" requires preservation of a connection between 2
> consenting hosts, and preservation includes securement of that connection
> against destructive mechanisms, which includes the subversive techniques
> intercetptions commonly associated with network security.
> Denial of Service is as much a threat to availability and network
> functionality as is power outage if it occurs. Before this turns to a
> security freaks want to screw around with my network and don't care about
> Firewalls are logical interventions, costing as little as some processor
> overhead. Dedicated appliances are only one deployment. Filters on
> routers also qualify as firewalls. Am I correct in understanding that you
> feel edge filtering is mutant lunacy and unnecessary complexity?
> Regarding dedicated firewalls, please see Mr. Bellovin's previous post
> regarding appropriate and competent administration. The lack thereof
> presents the complication, not the countermeasure itself.
> As for your assertion that firewalls "reduce the overall security of the
> 'net."...can you please elaborate on that, as well? Other factions
> argue that it's the other team refusing to lock their doors at night that
> are perpetuating the flux of bad behavior as a close second to the
> and infected.
> k. rachael treu, CISSP email@example.com
> ..quis costodiet ipsos custodes?..
> > --bill