At 09:46 AM 11/26/97 -0500, Mike Jones wrote:
>Mike Tibodeau wrote:
>> At 11:54 AM 11/25/97 -0800, Woody Weaver wrote:
>> >At 05:37 PM 11/25/97 +0000, Finnbogi Ragnar Ragnarsson wrote:
>> >>Most people need email, right?
>> >>And DNS,
>> >>and FTP server,
>> >>and WWW server
>> >I think this is a matter of semantics, but I want to be clear.
>> >It does not provide user services (other than a trivial web page for local
>> >diagnostics). It is a firewall, not an application device.
>> I think this is more of a religious question than anything. Some
>> people (like Woody and myself) would tend not to load a firewall
>> with "other junk" whereas other people might.
>This rapidly becomes a semantic question. It depends on whether you think
>as "a piece of hw/sw" or "the security apparatus at the edge of your
>If you think
>of it as the second, then access control/logging is only one function of the
I've been told (By ragnar @
is) that this semantic thread appeared on the
list in 95, and I don't really want to go through it again. For the
purposes of this discussion, I want to distinguish a firewall from a
perimeter security suite.
>> >I think that what ragnar @
is is thinking of is an application gateway
>> >that can provide services on a firewall. Speaking only from personal
>> >experience, I do not like to put any services on the firewall device: not
>> >only do I not want to have an ftp server on the firewall, I don't even
>> >content filtering or mail relays there.
>> I would tend to agree. I would further that by saying that virus scanning
>> does not belong at the firewall, nor URL filtering for that matter. (I
>> know I will probably burn for that last comment, but this is my personal
>> opinion and not that of my employer.)
>I would disagree. You may not want to put those functions on the same
>control, but it makes a lot of sense (to me) to have virus scanning "on the
>firewall" *in addition
>to* on the desktop as part of a "security in depth" strategy.
Given the definitions above, we actually agree: content security (such as
virus scanning), application security (such as transparent proxies), and
user security (such as authentication mechanisms or encryption mechanisms)
certainly belong in the perimeter security suite, where appropriate. I
suggest this to people not only for security in depth but also for reasons
of maintenance: putting lots of your eggs in one basket makes it easier to
watch the eggs. And we agree that we don't want to put those functions on
the same physical piece of hardware (for me, the reasons are for failure
isolation and so that I can sniff the segments just inside and outside the
access control device to independently verify function).
Such is the joy of semantics: once we've settled on the words, it turns out
all wise guys think alike... :)
Robert Wooddell Weaver email: woody .
Senior Systems Engineer voice: 510.358.3972
Wiltel NSI pager: 510.702.4334