Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network
From: Paul Robertson (proberts_at_patriot.net)
Date: 05/28/03
- Previous message: Sutantyo, Danny: "RE: [fw-wiz] IPSEC(sa_initiate): ACL = deny; no sa created"
- In reply to: Hugh Blandford: "[fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Next in thread: Tina Bird: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Reply: Tina Bird: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Reply: Hugh Blandford: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Reply: ark_at_eltex.net: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Reply: Chuck Swiger: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Hugh Blandford <hugh@island.net.au> Date: Tue, 27 May 2003 22:50:28 -0400 (EDT)
On Wed, 28 May 2003, Hugh Blandford wrote:
> Please take into consideration that if they had a firewall, it would be
> setup to allow all outbound traffic and let the 'responses' back in. There
That's a silly and mostly specious pre-requisite. For instance, most
small office users have *no* need for IRC, and given that IRC is *the*
major control vector for trojaned machines, why the heck would you allow it
outbound from a small office? Nuke 6667/tcp outbound and you decrease the
chance of being owned rather significantly, and you break less than 1/2 of
1% of SOHO users.
You shouldn't choose "basically no security policy, now what firewall
fits?" any more than "Here's a firewall, now what policy should it
support?"
If we don't try to do better, things won't get better.
You need to look at the threats to such environments and then design
protecitons to meet the real risks, not choose an arbitrary line in the
sand then say "I'm going to defend this postion because it's not worth
doing better."
What's the threat, what's the cost to protect against it, and what's the
cost of not protecting- without a risk analysis, you're checking the
security checkbox without doing security.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Sutantyo, Danny: "RE: [fw-wiz] IPSEC(sa_initiate): ACL = deny; no sa created"
- In reply to: Hugh Blandford: "[fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Next in thread: Tina Bird: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Reply: Tina Bird: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Reply: Hugh Blandford: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Reply: ark_at_eltex.net: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Reply: Chuck Swiger: "Re: [fw-wiz] Benefit of firewall over NAT-only 'protected' network"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
