ietf
[Top] [All Lists]

Re: primary purpose of firewalls

2003-06-19 20:31:45
Keith Moore wrote:
I believe the primary purpose of firewalls should be to
protect the network, not the hosts, from abusive or
unauthorized usage.
 
Michel Py wrote:
I do not agree with this. The primary purpose of firewalls is
to protect BOTH the network and the hosts.

the reason I disagree is that fundamentally, there's no way
that a firewall can reliably distinguish legitimate traffic
from illegitimate traffic,

This is flat out untrue. Below are a few examples of illegitimate
traffic that my firewall trashed recently.

read what I wrote again.  yes it can catch some things that are illegitimate. 
it cannot reliably catch all things that are illegitimate without also
blocking legitimate traffic.

what it cannot do is remove the burden from hosts and
applications to implement reliable security.

This is unexpected coming from you. Look again at the last example I
pasted. Do _you_ suggest that I should trust _that_ vendor to implement
reliable security?

I believe you should buy or write applications that ensure their own security
and protect the security of the machines on which they are hosted.  I believe
you should buy computing platforms that provide facilities to isolate
applications from one another, so that a single compromised application
doesn't compromise your entire platform.  I didn't say you should trust
others' applications to not try to attack your system.

an intermediary MUST NOT alter the source or destination
field in an IP header.

There is nothing wrong with this if another intermediary puts it
back the way it was originally, preserving end-to-end traffic.

if you're talking about RSIP, I don't think that's true, because
IIRC it still requires hosts and apps to be aware of addressing
realms.

I was talking about MHAP which is transparent to hosts and apps.

I'm not familiar with that acronym.  pointer to a spec?

Keith