In message <[EMAIL PROTECTED]>, bill writes: >> "the primary purpose of a firewall is to keep the bad >> guys away from the buggy code. Firewalls are the networks' response to >> the host security problem." > > a pretty good sound bite. :)
Thanks -- I've been using that line for about 10 years, and I haven't gotten tired of it yet.... > >> Add to that that you don't really know what's >> safe or unsafe, and that you have some services that are convenient for >> insiders but don't have adequate, scalable authentication on which you >> can build an authorization mechanism, and you see why firewalls are >> useful. >> >> Perfect? No, of course not. A good idea? Absolutely. > > Er... perhaps. > > Who is configuring the "firewall"? What are its capabilities? > How easy will it be to deploy new services? I, as an enduser, > am abdicating most of my responsibility to or it is being hijacked > by one or more network service providers. Ken is right. I don't have time to participate in this thread any more tonight -- tomorrow is the biweekly IESG call, and I still have several documents to review -- but I never said that ISPs should implement firewalls. In fact, in general that's a bad idea. Firewalls are the instantiation of a security policy; I don't want my ISP telling me what my security policy is or should be. To be sure, there is a market for a value-added ISP service that provides assorted types of filtering. But that's the sort of thing that's best done by consenting adults. More later.... --Steve Bellovin, http://www.research.att.com/~smb