Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network

From: Paul Robertson (
Date: 05/28/03

  • Next message: Tina Bird: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
    To: Hugh Blandford <>
    Date: Tue, 27 May 2003 22:50:28 -0400 (EDT)

    On Wed, 28 May 2003, Hugh Blandford wrote:

    > Please take into consideration that if they had a firewall, it would be
    > setup to allow all outbound traffic and let the 'responses' back in. There

    That's a silly and mostly specious pre-requisite. For instance, most
    small office users have *no* need for IRC, and given that IRC is *the*
    major control vector for trojaned machines, why the heck would you allow it
    outbound from a small office? Nuke 6667/tcp outbound and you decrease the
    chance of being owned rather significantly, and you break less than 1/2 of
    1% of SOHO users.

    You shouldn't choose "basically no security policy, now what firewall
    fits?" any more than "Here's a firewall, now what policy should it

    If we don't try to do better, things won't get better.

    You need to look at the threats to such environments and then design
    protecitons to meet the real risks, not choose an arbitrary line in the
    sand then say "I'm going to defend this postion because it's not worth
    doing better."

    What's the threat, what's the cost to protect against it, and what's the
    cost of not protecting- without a risk analysis, you're checking the
    security checkbox without doing security.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation

    firewall-wizards mailing list

  • Next message: Tina Bird: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"

    Relevant Pages

    • Re: Which Firewall with Nod32?
      ... Some of us do not want to be data packet inspectors or firewall rules ... which apps get outbound rights" and which ones don't.How boring, ... > first it was the supposed myth of firewall security and now it's this... ... > "hungry people don't stay hungry for long ...
    • Re: [fw-wiz] Firewall best practices
      ... The problem isn't exclusively that SSL is MITMable: it's the lack of or limited clue when assessing risk. ... While SSL may be in your terms crappy security, you can use it effectively enough so that you aren't the low hanging fruit, and today, there is so much low hanging fruit, effective security is pretty much reduced to creating the perception that someone else is an easier target. ... For example, in many scenarios where SSL is terminated at the firewall, the firewall is the trusted party identified by the server certificate. ...
    • Re: Bank Audit Best practices
      ... I've been involved in bank/credit union networking and security for about ... no risk to an FI coming from the processor's end. ... You *can* go the route of putting in an FI controlled firewall. ... Then there's the whole notion of proper network design. ...
    • Re: [fw-wiz] outbound traffic security risk
      ... > I would like to ask about the risk of opening outbound port traffics in the ... The more you allow, the less value you get from the firewall, until a ...
    • Re: Cracking Servers W/O open ports: Packet Filter Firewall
      ... > shouldn't run anything on your firewall box. ... There are two security principles to consider here. ... actually a process of assuming or mitigating risk. ... security is about mitigating and assuming risk. ...