Re: I don't need no stinking firewall!

About Merit

Services

Network

Resources & Support

Network Research

News

Events

Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Re: I don't need no stinking firewall!

From: Warren Kumari
Date: Thu Jan 14 00:44:20 2010

List-archive: <http://mailman.nanog.org/mailman/nanog>
List-help: <mailto:nanog-request@nanog.org?subject=help>
List-id: North American Network Operators Group <nanog.nanog.org>
List-post: <mailto:nanog@nanog.org>
List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=subscribe>
List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=unsubscribe>

On Jan 10, 2010, at 1:32 AM, Dobbins, Roland wrote:

On Jan 10, 2010, at 1:22 PM, harbor235 wrote:
Again, a firewall has it's place just like any other device in the network, defense in >>> depth is a prudent philosophy to reduce the chances of compromise, it does not >>>eliminate it nor does any architecture you can think of, period

Bah, I was trying not to get sucked into the roaring vortex of this thread, but I think that folks are ignoring one of the primary benefits of firewalls:
Quite simply, its this:

I can now place a checkbox in the "Is there a firewall?" column of the <insert random acronym here> audit.

While it may be fun to rail against the stupidity, after the Nth time that you have had the "This is in no way going to help improves security and will actually decrease it" argument, you realize that, if you want to get real work done, you need to choose your battles.

In may cases the auditor knows that the firewall may not make thing better, and may make them worse, but he has a set of guidelines that the contracting company he is working for dictates, and he needs to see the widget to sign on the dotted line. I have had auditors cheerfully point out that the way that their specific requirement is worded, a commodity CPE device plugged into port somewhere will fully satisfy their requirements and did I know that BestBuy has them on sale this week?

W

What a ridiculous statement - of course it does.

*The place of the stateful firewall is in front of clients, not servers*.

I'm not going to continue the unequal contest of pitting real-world operational experience against Confused Information Systems Security Professional brainwashing. One can spout all the buzzwords and catchphrases one wishes, but at the end of the day, it's all dead wrong - and anyone naive enough to fall for it is setting himself up for a world of hurt.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

Attachment: smime.p7s
Description: application/pkcs7-signature

Follow-Ups:
- Re: I don't need no stinking firewall! Bill Stewart
- Re: I don't need no stinking firewall! Dobbins, Roland

References:
- I don't need no stinking firewall! Brian Johnson
- Re: I don't need no stinking firewall! bill from home
- Re: I don't need no stinking firewall! Dobbins, Roland
- Re: I don't need no stinking firewall! bill from home
- Re: I don't need no stinking firewall! Dobbins, Roland
- Re: I don't need no stinking firewall! Joel Jaeggli
- Re: I don't need no stinking firewall! Dobbins, Roland
- Re: I don't need no stinking firewall! Joel Jaeggli
- Re: I don't need no stinking firewall! harbor235
- Re: I don't need no stinking firewall! Dobbins, Roland
- Re: I don't need no stinking firewall! harbor235
- Re: I don't need no stinking firewall! Dobbins, Roland

Prev by Date: RE: Anyone having issues updating RADB tonight?
Next by Date: Re: I don't need no stinking firewall!
Date Index
Thread Index
Author Index
Historical