On Fri, 1 Sep 2000, Thomas Lopatic wrote:
[SNIP]
>
> Oh, it will most definitely mitigate the problems with that. Imagine
> that you unload the security policy of the FireWall-1, then you still
> have the first line of defence, i.e. the ipchains box running a current
> version of ipchains. See, it also works the other way around.
>
And you'd still have the inner network protected if setup right,
accoriding to my understanding, as solaris installs and NT if I read right
are supposed to defaulting so that the OS does not forward packets and
this is left to FW-1, just for situations like this. The Os does not
forward and permit the protected networks to be vulnerable while booting
or changing the policy, yes? So here, if ipchains runs behind FW-1, it's
untouched...if in front of the FW-1 box, it;s filtering as before, so that
certain traffic is not reaching the FW-1 box, if something passes the
ipchain filters, or the router ACL's then you have something to be fully
concerned about and look into.
thanks,
Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
