Firewalls: Re: Are we amusing?

Firewalls
(August 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Are we amusing?
From:	snyderra @ dunx1 . ocs . drexel . edu (Bob Snyder)
Date:	Wed, 31 Aug 1994 04:08:12 -0400
To:	Firewalls @ GreatCircle . COM

At 2:34 PM 8/30/94, Esh, Andrew wrote:

>which are just as capable of a denial-of-service attack as any hacker is.
>Once security is obtained, further efforts to provide or restore access
>to the network are not pursued, in the name of "security". Paths to petty
>tyranny lead in many directions from this point, with the system
>administrator (and the network policy wonks behind him/her) as the prime
>suspects.

I suspect this depends heavily on your definition of "service."  Is it a
"denial of service" if the firewall doesn't let you use the
golly-gee-wiz-neato new net toy that is currently all the rave?

It rests on the question of what the needs of the site are (which don't
always match with the wants of the user).  Some sites have a strong need
for security, because the potential damage from an intruder is greater than
the potential benefit of having a open firewall that is user-friendly.
Other sites don't.  If you think your site should be more open, demonstrate
the benefits of such a policy to the powers-that-be, be they managers,
provosts, or the board of directors of an organization.

>Do not misunderstand me. I am not denouncing firewalls, just their
>misuse. In fact, due to my personal (negative) experiences with them, I
>plan to become a great deal more educated in their use. My hope is to aid
>the design of better ones which provide both security AND common user
>access. I feel we must guard against the mindset that security is worth
>(even partial) denial of access. We must also guard against becoming

You are making sweeping generalizations that may not be true of places
other than your site.  In some cases, security is worth limiting access,
and taking a "that which isn't explicitly allowed is disallowed" attitude.
In some cases, it isn't.

There is, of course, always the option of seeking out your own connection
to the Internet, and setting your own policy.

Bob

--
Bob Snyder N2KGO                               MIME, PGP, RIPEM mail accepted
snyderra @
 post .
 drexel .
 edu                      PGP & RIPEM keys on key servers
         When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl.

Indexed By Date	Previous:	"Firewalls are Bad" From: Mike Muuss <mike @ arl . mil>
Indexed By Date	Next:	Traffic loads on a bastion From: wetzels @ amc . uva . nl (F.P.M. Wetzels)
Indexed By Thread	Previous:	Are we amusing? -Reply From: KIDSTOJ @ pcux . citec . qld . gov . au
Indexed By Thread	Next:	re: Novell (yuck!) Security ?? From: padgett @ tccslr . dnet . mmc . com (A. Padgett Peterson, P.E. Information Security)