On Wed, 6 Mar 2002, Ron da Silva wrote:
> > On Wed, Mar 06, 2002 at 09:41:55AM -0500, Steven M. Bellovin wrote: > > > > In message <[EMAIL PROTECTED]>, Eric Brandwine writes: > > > > > > > >Firewalls are good things for general purpose networks. When you've > > >got a bunch of clueless employees, all using Windows shares, NFS, and > > >all sorts of nasty protocols, a firewall is best practice. Rather > > >than educate every single one of them as to the security implications > > >of their actions, just insulate them, and do what you can behind the > > >firewall. > > > > > >When you've got a deployed server, run by clueful people, dedicated to > > >a single task, firewalls are not the way to go. You've got a DNS > > >server. What are you going to do with a firewall? Permit tcp/53 and > > >udp/53 from the appropriate net blocks. Where's the protection? Turn > > >off unneeded services, chose a resilient and flame tested daemon, and > > >watch the patchlist for it. > > > > Precisely. You *may* need a packet filter to block things like SNMP > > (to name a recent case in point), but a general-purpose firewall is > > generally the wrong solution for appliance computers. There is no need to drop traffic for things that aren't listening. Eric's point was you deploy your fancy-dan mail server with ONLY 22 and 25 listening, you know that's all that's listening and your daily/hourly/weekly/monthly automated audits tell you this continually and alert when there are problems/deviations. So, why filter anything in this case? It's wasted bandwidth/processing power. > > Hmm...but certainly part of the right solution for a general "appliance" > network. > If you run a little network where you know 'precisely' the ins and outs there isn't any reason NOT to have a firewall, IMHO. At the very least for logging/auditting info it's a must. For a backbone filtering is another story entirely. Filtering backbone equipment for it's protection is also a completely different topic... -Chris
