home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.protocols.tcp-ip
- Path: sparky!uunet!haven.umd.edu!decuac!hussar.dco.dec.com!mjr
- From: mjr@hussar.dco.dec.com (Marcus J. "will do TCP/IP for food" Ranum)
- Subject: Re: Terminology for firewalls (was Re: Firewall usage)
- Message-ID: <1992Jul26.213653.29848@decuac.dec.com>
- Sender: news@decuac.dec.com (USENET News System)
- Nntp-Posting-Host: hussar.dco.dec.com
- Organization: Digital Equipment Corporation, Washington ULTRIX Resource Center
- References: <1992Jul24.045748.11266@decuac.dec.com> <1992Jul26.100825.13071@magnus.acs.ohio-state.edu> <1992Jul26.211639.29453@decuac.dec.com>
- Date: Sun, 26 Jul 1992 21:36:53 GMT
- Lines: 24
-
- >Firewall - a combination of a security policy with some of the components
- > above. Specifically, an implementation of the given policy that
- > is enforced by a combination of screening and/or routing.
-
- I should have mentioned that I believe that a "policy" needs to be
- something coherent and consistent that is more or less regular. I don't
- believe that a firewall can be implemented successfully by just plugging
- onto the network and disabling a bunch of stuff until it "works". I'm
- as far from a theoretical kind of guy as I think you can get, but I really
- think it's very important here to have a clear statement of the goals of
- the firewall before any connection is undertaken.
-
- Simply dividing the overall philosophy of the firewall into one
- of these two categories or the other will make a huge difference:
- "everything not expressly forbidden is permitted"
- "everything not expressly permitted is forbidden"
-
- Consider that in the latter case, the administrator's life is
- (hopefully!) easier - we tilt instinctively towards more security. In
- the former case, the user's life is usually easier - they are free to
- do anything that they can think of that the administrator has not
- identified as a security risk and blocked.
-
- mjr.
-
