SMOLNET PORTAL home about changes
[root][parent][raw file]
# Comments on 'Security without firewalls'

Debian Administration has an article up about [the usefulness of
firewalls][1]. Are they really necessary? If you consider a firewall
as just a non-stateful, layer-3 packet filter, then I would agree
they are not very useful. However, modern firewalls can do all sorts
of useful filtering that can protect a public application from
compromise - things like stateful fragment reassembly, packet
normalization, and rate limiting come to mind. Outbound filtering
can also be useful, in the event of an internal compromise, or just
as a spam-buster (only allowing outbound SMTP traffic to a mail
relay with authentication).

This reminded me of an article I read some time ago by Abe Singer in
the [Usenix magazine ;login:][2] about [life without firewalls at
the San Diego Supercomputer Center (SDSC)][3] (PDF). Basically, they
do the following:

* They have a centralized configuration management system; they use
  only hardened 'reference systems' on any public networks
* They have implemented aggressive patching policies
* They enforce a strict policy on strong authentication

How well does this setup work? According to [SearchSecurity.com][4],
pretty well. The SDSC has seen one compromise in six years without a
firewall, and that one compromise would not have been stopped by a
firewall, even if they had one.

[1]: http://www.debian-administration.org/articles/552
[2]: http://usenix.org/publications/login/
[3]: https://web.archive.org/web/20060924010526/http://www.usenix.org/publications/login/2003-12/pdfs/singer.pdf
[4]: https://web.archive.org/web/20071130012537/http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1191993_tax299825,00.html?bucket=NEWS

## Comments

**[Anonymous](#5 "2007-10-14 19:46:00"):** I tend to agree with this
approach. Firewalls are fine things to have protecting a network
full of systems, but for an individual workstation the few gains
that they offer over the Debian and Ubuntu approach of disabling or
loopback listening any services not meant to be publicly available
is just not worth the effort, particularly for the less technically
oriented user community.This is also in line with the "stuff just
works" design that modern distributions are aiming for.

.
Response: text/plain
Original URLgopher://gopher.unixlore.net/0/articles/historical-blog-p...
Content-Typetext/plain; charset=utf-8