On Thu, 25 Feb 2010, Gerard Creamer wrote:
Hi Roland,
Just to pick a single statement and possibly interpret it out of context...
On 25/02/2010 5:29 p.m., Dobbins, Roland wrote:
Firewalls should not be wedged into the middle of SP networks, nor should they be placed in front of servers.
Just looking at the last part of that (agree with the first bit) - are you suggesting that we put Windows servers bare on the intertubes? Is this for 'crack-that-box-wide-open' time trials or something?
We also tend to firewall collocation servers unless specifically asked not to as often those running them aren't as paranoid as they should be about removing / turning off services. I mean, I'm all for a bit of a laugh, and there's nothing quite like a rampant fox in the corner of your hen house to add excitement to an otherwise boring weekend, but leaving boxes open for exploit feels a bit too much.
Has some major thing happened and I missed it in terms of server security, or am I reading your statement incorrectly?
Those interested may like to check out the NANOG thread whch started with "I dont need no stinking firewall" on 5 January 2010... shades of that discussion and the merits of stateful firewalls infront of services come to mind... http://seclists.org/nanog/2010/Jan/126 for reference... Mark.