Re: Telco's write best practices for packet switching networks

[Sean Donelan]

My comment was originally prompted by the meeting minutes which
reported on the survey data showing that 100% of carriers are implementing
firewalls in their gateways.  The 100% is what caught my eye.  As the
topic comes up in various places, large ISPs repeatedly say they are
unable to implement filters or packet screening on their high-speed
links such as at peering points.  So the self-reported 100% implementation
of screening and filtering firewalls at gateways didn't seem to jive
with my understanding of the limitations faced by large ISPs.

Firewalls can be a useful tool in the security engineer's toolbox.  But
they get misused a lot.  I don't believe security engineers are better
programmers.  If there was a class of programmers in the world that didn't
make mistakes, I would hire them to write the applications. When the
firewall is more complex than the application server it is "protecting"
which is likely to have more mistakes?