On 07/03/2014 11:20 AM, Phillip Hallam-Baker wrote:
Yes firewalls do suck, but one of the reasons they suck a lot worse than
they need to is because there was a lot of resistance in the IETF to the
whole concept. And so any attempt to make IETF protocols firewall
friendly was often met with obstructionism.
And maybe not much guidance to make firewalls protocol-friendly, so to
speak?
[...]
Outbound traffic is relatively easy to deal with. All the firewall needs
to do is to decide whether the destination is one that isn't permitted.
And usually the right decision gets made - though there are many
enterprise firewalls locked down to only permit outbound port 80 and 443
and nothing else unless the packets come from a specially privileged
server.OK this is bad but at least the firewall logs tell us the extent
of the issue.
Is it really bad from a security point of view? -- at the end of the
day, it obeys the principle of "least privilege"....
[....]
Note that this is moving beyond firewalls. Firewalls are a weak security
solution because they only provide policy enforcement at the perimeter.
In a defense in depth strategy we would want every device in the network
to perform policy enforcement and policy audit.
The fact that you deploy a firewall at the perimeter doesn't mean you
can or shouldn't e.g. deploy a host-based firewall.
Cheers,
--
Fernando Gont
e-mail: fernando(_at_)gont(_dot_)com(_dot_)ar ||
fgont(_at_)si6networks(_dot_)com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1