Re: primary purpose of firewalls

ietf

[Top] [All Lists]

<prev [Date] next>

<prev [Thread] next>

Re: primary purpose of firewalls

2003-06-20 01:44:56

from [Harald Tveit Alvestrand]

[Permanent Link]

--On torsdag, juni 19, 2003 22:00:48 -0400 Keith Moore <moore(_at_)cs(_dot_)utk(_dot_)edu>wrote:

> I believe the primary purpose of firewalls should be to
> protect the network, not the hosts, from abusive or
> unauthorized usage.

I do not agree with this. The primary purpose of firewalls is to protect
BOTH the network and the hosts.


the reason I disagree is that fundamentally, there's no way that a
firewall can reliably distinguish legitimate traffic from illegitimate
traffic, and there's no way that a firewall can exclude all (or in many
cases even most) threats.  to do that it would have to be smarter than
the application.


I actually agree with both of the statements that are double-quoted above...

- the primary purpose of firewalls SHOULD BE to protect the network
- the primary purpose of firewalls IS to protect the hosts

The reasoning is that I think most hosts SHOULD be hardened enough to dotheir job while standing "naked" on the network, while in the current stateof affairs, the proportion of hosts that are capable of standing up toserious attacks from the Internet without the firewalls' comfort blanketsis probably better measured as parts per million than as a percentage.

(the proportion of hosts that are able to survive serious attacks WITH thefirewalls' help may be all the way up into single digit percentages....)


               Harald

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
RE: myth of the great transition (was US Defense Department forma lly adopts IPv6), (continued) RE: myth of the great transition (was US Defense Department forma lly adopts IPv6), Fleischman, Eric Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), Bob Braden Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), Eric Rescorla Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), Theodore Ts'o Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), Michael Thomas RE: myth of the great transition (was US Defense Department forma lly adopts IPv6), Michel Py RE: Re[2]: myth of the great transition (was US Defense Department forma lly adopts IPv6), Michel Py Re[4]: myth of the great transition (was US Defense Department forma lly adopts IPv6), Richard Welty RE: myth of the great transition (was US Defense Department forma lly adopts IPv6), Michel Py primary purpose of firewalls, Keith Moore Re: primary purpose of firewalls, Harald Tveit Alvestrand <= Re: primary purpose of firewalls, Michael Richardson RE: myth of the great transition (was US Defense Department forma lly adopts IPv6), Michel Py Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), J. Noel Chiappa Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), Keith Moore Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), Vernon Schryver Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), S Woodside Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), Bob Braden Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), J. Noel Chiappa Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), Jonathan Hogg Re: myth of the great transition (was US Defense Department forma lly adopts IPv6), Melinda Shore

Previous by Date:	RE: myth of the great transition (was US Defense Department forma lly adopts IPv6), manojd
Next by Date:	Re: WG review: Layer 2 Virtual Private Networks (l2vpn), Harald Tveit Alvestrand
Previous by Thread:	primary purpose of firewalls, Keith Moore
Next by Thread:	Re: primary purpose of firewalls, Michael Richardson
Indexes:	[Date] [Thread] [Top] [All Lists]