Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!elroy.jpl.nasa.gov!decwrl!sgi!rpw3@rigden.wpd.sgi.com
From: rpw3@rigden.wpd.sgi.com (Rob Warnock)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: well-behaved firewalls
Message-ID: <113425@sgi.sgi.com>
Date: 27 Jun 91 04:43:09 GMT
References: <BOB.91Jun17182958@volitans.MorningStar.Com> <1991Jun25.003609.22406@pa.dec.com> <tr.677973063@samadams>
Sender: guest@sgi.sgi.com
Reply-To: rpw3@sgi.com (Rob Warnock)
Organization: Silicon Graphics, Inc., Mountain View, CA
Lines: 43

In article <tr.677973063@samadams> tr@samadams.princeton.edu
(Tom Reingold) writes:
+---------------
| Is this sort of approach a "good idea"?  It has become common, with
| different methods of implementation.  Would it not make more sense to
| take the burden of security away from networks and put it on hosts?  To
| me, it seems that firewalls like these are analogous to roadblocks on
| highways that are placed there because a criminal MIGHT be using the
| road to commit a crime.  I prefer to be presumed innocent and I like
| having a road that is free for both me and the criminals.  I prefer
| banks putting up heavy locks to prevent robberies over roadblocks on roads.
+---------------

Well, to me the analogy is less to roads and more to my house. I have several
rooms in my house, and some have private files that I need to protect very
well and some have nothing of very much importance at all. But I'd rather
put a lock on the front door (the firewall) and enjoy the convenience of
being able to walk freely from room to room, picking up a novel here and
a confidential file there, as opposed to leaving the front door wide open
and then having to use a key to get from the bedroom to the bathroom, a key
to get from the bathroom to the kitchen, and a key to get from the kitchen
to the study.

Organizations which prefer, for whatever reasons, to have a more "homey"
atmosphere within their "walls" (internal internet) tend to prefer the firewall
approach. It allows the conveniece of, say, open guest accounts on internal
systems without worrying about uninvited outside "guests". Yet a "well-behaved"
firewall -- together with a few specially-secured servers -- still allows a
controlled degree of sharing and communication. (E.g., my house allows the
postal deliveryperson to drop mail through the slot, allows the gas meter
to be read, and allows garbage to be carted away -- all without my being
there to approve it.)

I guess it just depends on your situation and perspective.


-Rob

-----
Rob Warnock, MS-1L/515		rpw3@sgi.com		rpw3@pei.com
Silicon Graphics, Inc.		(415)335-1673		Protocol Engines, Inc.
2011 N. Shoreline Blvd.
Mountain View, CA  94039-7311