Archive of UserLand's first discussion group, started October 5, 1998.
Firewall stance and tunneling
Author: Ken MacLeod Posted: 5/5/2000; 3:10:56 PM Topic: scriptingNews outline for 5/5/2000 Msg #: 17019 (In response to 17013) Prev/Next: 17018 / 17020
To firewall admins (and site, network, host, and application security in general) there are two general policies that admins choose between:
- Block everything until assessed
- Allow everything until incidents occur
Most universities and home users allow everything. Many organizations block everything. Many organizations block everything coming in but allow everything going out.
For whatever reasons, many sites that follow the "block everything" policy inexplicably change their stance to "allow everything" when it comes to SMTP or HTTP, they basically allow anything through. They do this by not implementing any filters on those connections and not monitoring them for unexpected usage.
In "Building Internet Firewalls" (Chapman and Zwicky; O'Reilly & Associates, Inc.) these stances are described:
- Default deny stance: That which is not expressly permitted is prohibited.
- Default permit stance: That which is not expressly prohibited is permitted.
Since I always have to think through that everytime I read it, I prefer the shorter more common descriptions above.
This page was archived on 6/13/2001; 4:55:05 PM.
© Copyright 1998-2001 UserLand Software, Inc.