On 7-sep-2005, at 1:54, Steven M. Bellovin wrote:
I recognize that carrying all existing firewalls to the scrap heop
won't immediately solve our problems, but we do have to realize that
current filter practice do almost as much harm as they do good. We
really need better stuff here.
(It's amusing to see that to some people, security means encrypting
their communication, while to others it means inspecting that same
I opt for each in its place. I'm also an advocate for distributed
firewalls. But I *really* don't want to refight the whole firewall
issue yet again; I've been through that too many times in the last
decade or so.
:-) Well I wouldn't mind having this fight if I thought it would do
any good, but that doesn't seem likely. What _could_ do some good is
come up with better stuff than just observe packets on the wire. The
exact same packet can either be completely harmless or be part of a
huge security breach, depending on what software sent it / will
receive it. It would be great if a security device could block
packets sent by Apache 2.8 while allowing the same packets if sent by
For right now, though, the issue is engineering. Again, the vast
majority of hosts are behind firewalls. Is the philosophical issue
that important that we should ignore it? I don't think so.
Well, I had occasion to write a NAT and firewall considerations
section for a draft not long ago, but the trouble is: what should go
in there? As long as there are no guidelines on how to interact with
firewalls such sections will generally reflect the private opinions
of the authors, which may or may not be useful on a case-by-case basis.
(In this case, my main concern was that certain signalling traffic
would be handled the same as certain other signalling traffic by
firewalls, and it would be good if we could make both types of
signalling be treated the same as the data traffic, but that didn't
Ietf mailing list