Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!samsung!caen!spool.mu.edu!uunet!sci34hub!gary From: gary@sci34hub.sci.com (Gary Heston) Newsgroups: comp.protocols.tcp-ip Subject: Re: well-behaved firewalls Message-ID: <1991Jun27.133519.16438@sci34hub.sci.com> Date: 27 Jun 91 13:35:19 GMT References: <1991Jun25.003609.22406@pa.dec.com> Reply-To: gary@sci34hub.sci.com (Gary Heston) Organization: SCI Technology, Inc., Huntsville, Al. Lines: 49 In article tr@samadams.princeton.edu (Tom Reingold) writes: >mogul@pa.dec.com (Jeffrey Mogul) writes: >$ [ how he does a firewall ] >Forgive me if I am mentioning something that has been discussed here >before... Many things are discussed repeatedly, in search of a better conclusion that the last time. No forgiveness needed... >Is this sort of approach a "good idea"? Yes. After all, it's a network admins' job to keep the network secure as well as up-and-running. > It has become common, with >different methods of implementation. Would it not make more sense to >take the burden of security away from networks and put it on hosts? To >me, it seems that firewalls like these are analogous to roadblocks on >highways that are placed there because a criminal MIGHT be using the >road to commit a crime. I prefer to be presumed innocent and I like >having a road that is free for both me and the criminals. I prefer >banks putting up heavy locks to prevent robberies over roadblocks on >roads. Not quite a good analogy. Domains are more like private housing areas, or apartment complexes, which don't have public roads thru them. You can drive anywhere on the public roads (use the InterNet) you want, and shouldn't be hindered by roadblocks (firewalls) without some act on your part (note that this is contrary to MADDs' attitude), but you have no business driving around in my parking lot (accessing my domain). Rules for use of public property differ from those for private property. The property owner (network admin) is perfectly within their rights to refuse access (respond Host Unreachable) to anyone that isn't paying rent or a member of the private community (users). I want to see wide access for everyone, myself. My first responsibility is to the users and our employer, though. >What do network experts feel about this? I'll want to see that as well. I'm certainly no expert, yet. -- Gary Heston System Mismanager and technoflunky uunet!sci34hub!gary or My opinions, not theirs. SCI Systems, Inc. gary@sci34hub.sci.com I support drug testing. I believe every public official should be given a shot of sodium pentathol and ask "Which laws have you broken this week?".