On Wed, Mar 06, 2002 at 09:41:55AM -0500, Steven M. Bellovin wrote: > > In message <[EMAIL PROTECTED]>, Eric Brandwine writes: > > > > >Firewalls are good things for general purpose networks. When you've > >got a bunch of clueless employees, all using Windows shares, NFS, and > >all sorts of nasty protocols, a firewall is best practice. Rather > >than educate every single one of them as to the security implications > >of their actions, just insulate them, and do what you can behind the > >firewall. > > > >When you've got a deployed server, run by clueful people, dedicated to > >a single task, firewalls are not the way to go. You've got a DNS > >server. What are you going to do with a firewall? Permit tcp/53 and > >udp/53 from the appropriate net blocks. Where's the protection? Turn > >off unneeded services, chose a resilient and flame tested daemon, and > >watch the patchlist for it. > > Precisely. You *may* need a packet filter to block things like SNMP > (to name a recent case in point), but a general-purpose firewall is > generally the wrong solution for appliance computers.
Hmm...but certainly part of the right solution for a general "appliance" network. -ron