On Tue, May 21, 2002 at 06:12:00AM +1000, Anthony Towns wrote: > On Mon, May 20, 2002 at 12:13:41PM -0700, Thomas Bushnell, BSG wrote: > > 1. Debian does not have firewalling by default, so if firewalling is > > necessary for security, then it is not secure by default. > > It does: it has spoof protection enabled and forwarding disabled by > default. That's not firewalling. For all we know, hurd might not even be able to forward packages. </joke> But that doesn't mean it's firewalled. And the linux spoof protection is more harmful than beneficial in many cases, and should hardly be considered the gold standard of hurd's achievements. > In any event, default behaviour isn't the issue: it's whether > or not you have any real control over your network interfaces. I'm sure hurd has fundamental control: if they don't want someone connecting to a hurd box, they won't run any network servers. > > 2. Firewalling is not actually an asset in network security; the > > notion that it is is misguided and thoroughgoingly erroneous. > > That's the most bizarre statement I've seen for at least an hour. It's also correct, from a certain point of view. </obi-wan> There is a school of thought that firewalls are only useful if you are trying to protect network services that you can't secure properly. You might disagree, but there is a certain truth. What does a firewall really do? It blocks packets. Why does it block packets? To keep the packets from doing something bad. If you trust the software on your machine not to do something bad, regardless of what packets it recieves, what does the firewall add? More importantly, for this school of thought, is the fact that firewalls offer a false sense of security. If you *don't* trust the software running on your machine, why are your running in the first place? What if your firewall breaks? What if a "trusted" host launches an attack? The only real security is to trust your network-attached hosts--a firewall can't fix a broken system. You might argue for defense in depth, even if you do trust the software on your machine (heck, I might argue for defense in depth :) but unfortunately that's not the reason many firewalls are deployed. -- Mike Stone
Attachment:
pgpaqoW0xu10G.pgp
Description: PGP signature