On Sun, 19 Mar 2000, Michael H. Warfield wrote:
[snip]
> Stateful filtering in routers, firewalls, or host interfaces is
> almost certainly a good thing considering the insecurity of most of the
> alternatives. The secure alternative on a firewall would be proxies.
> Secure, yes, but a dubious performance hog at the very least... And excuse
[snip]
Come on!
Stateful firewalling buys you *very* little extra security over
non-stateful filtering. Most of the attacks that a firewall will stop are
straightforward service exploits via the internet. A simple filter will do
this just fine.
Most security violations happen from the inside, and unless you like
spending tons of money breaking all your internal communictaions,
firewalls can't help you there. Also, it's usually trivial for someone on
the outside to trick an insider into setting up a covert channel through
all but the most anal stateful devices.
They simply don't get you much over non-stateful devices other then a
false sence of security, increased complexity, and lowered realibility.
The real solution to security is to secure the damn hosts, and stop trying
to gloss over the problem with cure-all quick fix firewalls.
Any network small an simple enough not to be crippled by a stateful
network (i.e. one building with one internet connection, with no peering
to other networks, with 100% trusted insiders (who know not to run
dancing-baby2000.exe)) is simple enough to actually make secure.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
