On Fri, Apr 19, 2002 at 09:00:15PM -0400, Shawn McMahon wrote: > > Noah (and I) didn't say a firewall was useless, just that discussing > > firewalls when the problem is a (potential) mail relay is wholly > > pointless. > > Noah did say that. You, to the best of my knowledge, didn't. Yes, I certainly did say as much, and in this case I do believe it would be useless. Putting a mail server behind a (network based) firewall is quite dangerous. Especially if you have other insecure hosts behind that firewall that you think are safe. The idea of a remote exploit in an MTA is hardly novel, and if your mail server gets cracked, then there are likely to be a lot of other vulnerable hosts behind the firewall that suddenly become attackable. Now, I don't declare firewalls to be flat out *bad*, though I do know some very experience network admins that do. They can have their uses. I am not of the school that a firewall should block all traffic except a few specific ports. If I need to protect a certain dangerous service, I will filter that port at the network border, but otherwise I do not filter any traffic. An example of when I would do such a thing is during the recent SNMP vulnerability problem. In a large heterogeneous network, not all vendors will fix their SNMP implementations in a timely manner, so it's best to filter the port at the border until I'm reasonably confident that the systems are no longer vulnerable. I am a firm believer in network availability and flexibility, and that approach has served me well for years. (I am responsible for several machines on a high-profile open network. We do not rely on network-based firewalls for security.) > Apologies to Noah for calling him a troll. > No problem. I'm sure I've been called worse. Plus, this sort of debate is always interesting. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpnC2epimAcx.pgp
Description: PGP signature