mailing list archives
Re: I don't need no stinking firewall!
From: "Michael K. Smith" <mksmith () adhost com>
Date: Sun, 10 Jan 2010 17:03:11 -0800
On 1/9/10 10:32 PM, "Dobbins, Roland" <rdobbins () arbor net> wrote:
On Jan 10, 2010, at 1:22 PM, harbor235 wrote:
Again, a firewall has it's place just like any other device in the network,
defense in >>> depth is a prudent philosophy to reduce the chances of
compromise, it does not >>>eliminate it nor does any architecture you can
think of, period
What a ridiculous statement - of course it does.
*The place of the stateful firewall is in front of clients, not servers*.
I'm not going to continue the unequal contest of pitting real-world
operational experience against Confused Information Systems Security
Professional brainwashing. One can spout all the buzzwords and catchphrases
one wishes, but at the end of the day, it's all dead wrong - and anyone naive
enough to fall for it is setting himself up for a world of hurt.
I certainly understand and agree with your position, in most cases, but
there are some instances when a firewall serves an excellent purpose. As an
example, we manage hundreds of heterogeneous servers where customers also
have administrative access to the devices. As such, we can never be sure
they haven't changed something that can negatively impact the security of
the server or servers.
However, since the firewall is a magic box they don't want anything to do
with it. This means that I can keep a server fairly secure from extraneous
cruft and have a demarcation point into and out of the customer's
environment that I control.
I understand this does nothing for SQL injection, XSS, and other
application-layer mischief, but it does wonders for keeping all the other
stuff blocked, even when an customer "admin" says "why do I need Windows
I wish I had a perfect world where I had a homogenous server environment
that I controlled all the way through the stack with only one Management
Layer to deal with. But, I'm glad I don't because these customers pay my