1999-09-24-16:17:48 Tim Kramer:
> I can only image one case where an ISP would need a firewall: to protect its
> internal network where the billing records and logs are kept. (I'm probably
> wrong as I've never worked that side of the house.) (Why have a firewall if
> the security policy is "no restrictions"?)
There ought to be a firewall any place there's an administrative border. At
the connection between the internet and an ISP, they should have a box that
enforces a couple of rules:
- don't allow packets through in either direction to or from the RFC
1918 address blocks 192.168/16, 172.16/12, and 10/8.
- don't allow incoming packets with source addresses that are supposed
to be inside the firewall, and don't allow outbound packets with
source addresses that aren't inside the firewall.
In addition a border firewall gives you valuable logging, and the ability to
shut down many denial-of-service attacks once they're detected and diagnosed.
> Politics will always conflict with security when use of your network is
> involved.
I think these conflicts, and how they are resolved, are the test of the
security policy. A good security policy is strengthened by such challenges,
since it ends up either educating the user about the organization's needs, or
else being revised to better meet them.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
