On 7-sep-2005, at 1:54, Steven M. Bellovin wrote:
I recognize that carrying all existing firewalls to the scrap heop won't immediately solve our problems, but we do have to realize that current filter practice do almost as much harm as they do good. We really need better stuff here.
(It's amusing to see that to some people, security means encrypting their communication, while to others it means inspecting that same communication.)
I opt for each in its place. I'm also an advocate for distributed firewalls. But I *really* don't want to refight the whole firewall issue yet again; I've been through that too many times in the last decade or so.
:-) Well I wouldn't mind having this fight if I thought it would do any good, but that doesn't seem likely. What _could_ do some good is come up with better stuff than just observe packets on the wire. The exact same packet can either be completely harmless or be part of a huge security breach, depending on what software sent it / will receive it. It would be great if a security device could block packets sent by Apache 2.8 while allowing the same packets if sent by Apache 2.81.
For right now, though, the issue is engineering. Again, the vast majority of hosts are behind firewalls. Is the philosophical issue that important that we should ignore it? I don't think so.
Well, I had occasion to write a NAT and firewall considerations section for a draft not long ago, but the trouble is: what should go in there? As long as there are no guidelines on how to interact with firewalls such sections will generally reflect the private opinions of the authors, which may or may not be useful on a case-by-case basis.
(In this case, my main concern was that certain signalling traffic would be handled the same as certain other signalling traffic by firewalls, and it would be good if we could make both types of signalling be treated the same as the data traffic, but that didn't seem doable.)
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf