Wednesday, October 10, 2007

Comments on 'Security without firewalls'

Debian Administration has an article up about the usefulness of firewalls. Are they really necessary? If you consider a firewall as just a non-stateful, layer-3 packet filter, then I would agree they are not very useful. However, modern firewalls can do all sorts of useful filtering that can protect a public application from compromise - things like stateful fragment reassembly, packet normalization, and rate limiting come to mind. Outbound filtering can also be useful, in the event of an internal compromise, or just as a spam-buster (only allowing outbound SMTP traffic to a mail relay with authentication).

This reminded me of an article I read some time ago by Abe Singer in the Usenix magazine ;login: about life without firewalls at the San Diego Supercomputer Center (SDSC) (PDF). Basically, they do the following:

  • They have a centralized configuration management system; they use only hardened 'reference systems' on any public networks
  • They have implemented aggressive patching policies
  • They enforce a strict policy on strong authentication

How well does this setup work? According to, pretty well. The SDSC has seen one compromise in six years without a firewall, and that one compromise would not have been stopped by a firewall, even if they had one.

1 comment:

Anonymous said...

I tend to agree with this approach. Firewalls are fine things to have protecting a network full of systems, but for an individual workstation the few gains that they offer over the Debian and Ubuntu approach of disabling or loopback listening any services not meant to be publicly available is just not worth the effort, particularly for the less technically oriented user community.

This is also in line with the "stuff just works" design that modern distributions are aiming for.