Brian.Rubarts@born.com: RE: Storage over Ethernet/IP

[Dave Nagle <bassoon@yogi.ece.cmu.edu>]

------- Forwarded Message

Date:    Fri, 26 May 2000 10:55:29 -0500
From:    Brian.Rubarts@born.com
To:      Valdis.Kletnieks@vt.edu
cc:      ietf@ietf.org
Subject: RE: Storage over Ethernet/IP 

>Odd.. I thought we had a clue about security.  The guys at SANS just
>gave us a 'Technology Leadership Award'.  I just walked across the hallway,
>and I didn't see any firewall in our router swamp.
>I guess because we don't have a firewall, we don't have a clue.  Or because
>we don't have a firewall, we can't deploy this technology.  Somehow, that
>doesn't smell right.
>If your OS is hardened enough, a firewall may not be appropriate.

I am not saying that you don't have a clue if you don't utilize a firewall.

I AM saying that if you have Internet access to your network, a firewall is 
extremely important.  It isn't complete, in and of itself.  OS hardening is
still very important, as are other technologies (as necessary to facilitate
application needs).  

I understand your point that if your OS is perfectly hardened, then a
firewall
isn't going to add any *extra* protection.  You miss the point, though.  You
can prevent
unnecessary processor and bandwidth utilization on the server by filtering
it out at the perimeter of your network.  You might not get a security
advantage
if you are an OS hardening god, but you would CERTAINLY get performance
increases
on your LAN.  

If you are utilizing pure access lists on routers for perimeter security,
then
you are assuming that this technology is as adept at securing a network as 
port filters combined with Network Address Translation or cicuit proxying.
Don't
make that assumption.  

Brian

------- End of Forwarded Message