ietf
[Top] [All Lists]

Re: primary purpose of firewalls

2003-06-21 22:36:57


On Sat, 21 Jun 2003, S Woodside wrote:

On Saturday, June 21, 2003, at 08:17  PM, David Morris wrote:

Based on policies that reject inbound
connections to all computers except those carefully hardended and
sequestered an their own 'DMZ' will dramatically reduce the potential
of
compromize from many risky applications ranging from TELNET on Solaris
to
SMB on Windows.

It would be just as hard to traverse that firewall, then (for voice),
as it would be to traverse a NAPT, no?

In the case of the product I use, 'NAPT' is a default behavior, but
alternate configurations are possible including no NAT. Opening inbound
connections to arbitrary hosts is always a risk since there are many
reasons that one can't trust the security status of desktop machines for
at least some percentage of the user population. I'm certainly not ready
to allow connection to any application I know of from outside of my
firewall when I can't control the machine.

So I guess my short answer is I hope so.

Dave Morris