>That's my concern: people insist on running broken/lame protocols
>through their firewalls, and they convince themselves that the
>firewall is doing something for them. In fact, the firewall is
>doing next to nothing. Nothing a router can't do, anyhow.
>...
>I'm not just messin' with you here -- these are fundamental
>problems with the concept of firewall, and they are problems I've
>been wrestling for, oh, a while. In fact, I've finally concluded
>as a result of these issues that firewalls are no longer useful
>technologies. There are too many "business critical" applications
>being deployed through firewalls which the firewalls cannot usefully
>operate on (indeed, the vast majority of firewalls on the market
>do _no_ security processing _at_ _all_ other than adaptively
>creating and destroying what amount to router filters).
>...
>I don't think a firewall is an answer to _any_ question, anymore.
You're being a perfectionist... not normally a bad thing, but..
You're asserting that if there is one hole (say, a really big one), then the
entire firewall might as well not be there. This is, of course, untrue.
In a security class I once took, the instructor claimed that a proxy
is not a firewall. A proxy is something that lets things through. A
firewall is something that stops them. He claimed there were different
components, though complimentary. I tend to like that train of thought,
though it's not popular when we get into philosophical discussions like
this.
The point is that even given a gaping hole, I still don't want the
whole world to have direct NBT access to all my Windows boxes
inside.
Firewalls aren't useless now, they're just a basic minimum.
Are you running NFR with no firewall? :)
(This is more Marcus-bait. He probably wrote a new one from scratch
for this purpose...)
Ryan
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
