On 07/03/2014 11:20 AM, Phillip Hallam-Baker wrote: > Yes firewalls do suck, but one of the reasons they suck a lot worse than > they need to is because there was a lot of resistance in the IETF to the > whole concept. And so any attempt to make IETF protocols firewall > friendly was often met with obstructionism. And maybe not much guidance to make firewalls protocol-friendly, so to speak? [...] > Outbound traffic is relatively easy to deal with. All the firewall needs > to do is to decide whether the destination is one that isn't permitted. > And usually the right decision gets made - though there are many > enterprise firewalls locked down to only permit outbound port 80 and 443 > and nothing else unless the packets come from a specially privileged > server.OK this is bad but at least the firewall logs tell us the extent > of the issue. Is it really bad from a security point of view? -- at the end of the day, it obeys the principle of "least privilege".... [....] > > Note that this is moving beyond firewalls. Firewalls are a weak security > solution because they only provide policy enforcement at the perimeter. > In a defense in depth strategy we would want every device in the network > to perform policy enforcement and policy audit. The fact that you deploy a firewall at the perimeter doesn't mean you can or shouldn't e.g. deploy a host-based firewall. Cheers, -- Fernando Gont e-mail: fernando@xxxxxxxxxxx || fgont@xxxxxxxxxxxxxxx PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1