I don't need no stinking firewall!

From: Jared Mauch <jared@puck.nether.net>
Date: Tue, 5 Jan 2010 16:20:56 -0500

> It's all how you configure and tweak the firewall. Recommending people run servers without a firewall is bad advice - do you really want your Win2k3 server exposed, SMB, RPC, and all to the world?

Some people think that exposing any functionality by default such as that is a poor security practice :slight_smile:

My biggest issue is that people think that Firewalls, AV, etc are a catch-all for any network/user/security badness. The real world is more complex than that.

Most people make poor security choices and this creates much larger issues.

"I thought the firewall would protect me".
"I thought my IPS would protect me"
"I thought my AV would protect me"

Most of these technologies create a truly false sense of security.

I'm once again reminded of many people who do technically "silly"
things like block TCP/53, packets over 512 bytes, port 587, ssl imap
ports, etc.

It's frustrating and sad because it's not an effective security
strategy and frustrates grumpy old-school users as myself that used
odi drivers w/ ka9q to multitask over our CSLIP networks.

I suspect at least part of this will soon get fixed due to DNSSEC.
Blocking tcp/53 and packets over 512 bytes will cause user complaints
and, after enough education, the problem will get fixed.

I had a problem with a large US government site due to tcp/53 blocking
and had no luck getting it fixed. The "Security Officer" informed me
that tcp/53 was only ever needed for zone transfer and any other use was
clear evidence of abuse. RFCs meant nothing to him. (I don't know if he
knew what an RFC was.)

Now that gov domains are mandated to be signed, seems like he learned that
tcp/53 could be used for normal operations.

"You can get more with a kind word and a two-by-four than you can with
just a kind word."
                                         J. Michael Straczynski from
           Ceremonies of Light and Dark
           Babylon 5

Yes. Remember the root zone is due to be signed within the next six
months, and many nameservers (BIND in particular) request DNSSEC data by
default. You WILL have to deal with large DNS replies SOON - the first
ones from the root servers will appear this month.