"the primary purpose of a firewall is to keep the bad
guys away from the buggy code. Firewalls are the networks' response to
the host security problem."
a pretty good sound bite.
Thanks -- I've been using that line for about 10 years, and I haven't gotten
tired of it yet....
Add to that that you don't really know what's
safe or unsafe, and that you have some services that are convenient for
insiders but don't have adequate, scalable authentication on which you
can build an authorization mechanism, and you see why firewalls are
Perfect? No, of course not. A good idea? Absolutely.
Who is configuring the "firewall"? What are its capabilities?
How easy will it be to deploy new services? I, as an enduser,
am abdicating most of my responsibility to or it is being hijacked
by one or more network service providers. Ken is right.
I don't have time to participate in this thread any more tonight --
tomorrow is the biweekly IESG call, and I still have several documents
to review -- but I never said that ISPs should implement firewalls. In
fact, in general that's a bad idea. Firewalls are the instantiation of
a security policy; I don't want my ISP telling me what my security policy
is or should be.
To be sure, there is a market for a value-added ISP service that
provides assorted types of filtering. But that's the sort of thing
that's best done by consenting adults. More later....
--Steve Bellovin, error