> I know Eliot didn't mean it this way, but conversations about this item
> seem to have gone around both end and are meeting in the middle.
Regrettably, this is exactly what I am trying to point out.
[...]
> What we have here is a tool developed to bypass the misuse of other tools
> which is now itself being used for misuse. We should keep it because it
> can bypass the misuse of the other tools, but should ban it because it
> is primarily used for misuse.
Please consider wisely what a firewall is for, and what it is not for.
If a firewall is for keeping the bad guys out, then depending on how
concerned you are with the exposed machines, you may well need to turn
off UDP, because it can effect an attack on random UDP ports
including, I might add, NTP, WAIS, talk, and DNS, just to name a few.
This will keep things `safe', albeit less useful.
However, if your goal is to prevent naughty bits from cutting across
your network, give up now. A new mechanism that circumvents best
efforts to turn off FSP will be along in a few weeks if people find
that they can't get their porn fix. I can see it now- FSP to FTP
application gateways. FSP is a prime example of what happens when one
implements a tyrranical policy ``in code'', when it is best
implemented in management. Remember, just because you *can* do it in
code, doesn't mean that you *should*.
Eliot Lear
[lear @
sgi .
com]
|
|
