begin quoting Tracy R Reed as of Sun, May 21, 2006 at 03:59:53PM -0700: > Andrew Lentvorski wrote: > >Anyhow, the longer I am at this, the less convinced I am about the > >benefit of "default deny" in an end-user system. Even behind all these > >"secure NATs", botnets thrive anyhow. But that's a different discussion. > > I'm with you on this one. Firewalls in general have been way oversold.
As in 'hyped as a panacea'? Yes. But then, so has the network itself. Agents. The web. P2P. Virus scanners. Don't look to the salesmen for a realistic evaluation. > We set up a firewall and the first thing we always do is open/forward > the interesting ports to our internal applications. Ideally you want a > firewall and host-based security both but given the choice between a > firewall only or host-based security only I would take host-based. The Ideally, you want a DMZ with proxies. _Ideally_, no packets on the internal network *ever* make it out to the Internet without first going through a firewalling proxy, and vice versa. That, however, is expensive and considered paranoid. So people don't do it. They buy the turnkey panaceas. > reason being the first time someone brings an infected laptop from home > and plugs it in behind your firewall your whole network is owned unless > you have host based security. Don't bash firewalls for piss-poor network design. They're only an element to be used in your network design, not the sole component. > But a single firewall is a lot easier to > manage than actually securing all of your individual hosts so hardly > anyone does this in practice so we end up with huge botnets. That's people selling firewalls as a panacea. It's not a good idea to make your network crunchy on the outside and chewey on the inside. Of course, if you go solely with host-based security on account of your users being idiots, why do you think they'll maintain good discipline when you dump the firewall? Let's say you dump the firewall in favor of host-based security. It is difficult to configure the host-based security to let you print to the network printer, so you turn it _off_ to print. If you're printing a bunch of stuff, you'll turn it off and leave it off, and when you're done, you _might_ rememeber to turn it back on. (Real-life example. Don't tell me people don't do this sort of thing.) How long can an unprotected machine be on the Internet before it gets compromised, assuming it has no protection in place? One minute? Two? I'll take crunchy-on-the-outside-chewey-on-the-inside any day of the week over crunchy-for-all-but-an-hour-a-day-when-I-drop-my-pants. If I'm going to blow holes in my firewall so that "stuff will work", I'm going to do equally stupid things if I dispense with the firewall. So it's not a fair comparison to whine about how firewalls don't protect our networks from stupid network administrators and malicious users. -- _ |\_ \| -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
