The perfect firewall is only useful if you have perfect
applications behind it, and perfect users using them.
Back in the Early Days of firewalls, I used to believe
they could be made sufficiently secure. That was back
when firewalls only carried about 5 protocols: SMTP,
telnet, FTP, NNTP, and DNS. Some of us understood FTP
bouncing and blocked it, but even then we understood the
threat of someone sending scripts to users, or downloading
trojaned code. These days, the kind of plug-ins that come
in your typical browser, combined with all the bizarro
undocumented protocols used by new Internet apps, make it
highly unlikely that a firewall is doing anything more
complex than a thin layer of policy atop routing. As
such, the apps behind the firewall are now more critical
to security than the firewall itself. Which should scare
the holey moley out of you.
See
http://web.ranum.com/pubs/a1fwall/index.htm
for details on the APDF firewall system, I designed a
few ages ago. As far as I am concerned, it's the only
firewall you can completely trust. Even the APDF can be
mis-installed or mis-configured but it's pretty robust. ;)
mjr.
-----
Marcus J. Ranum
Chief Technology Officer, Network Flight Recorder, Inc.
Work: http://www.nfr.net
Personal: http://www.ranum.com
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
