Speaking for myself, I guess I prefer a bit of a belt-and-suspenders
approach, when it is my ass on the line. Hence, the thought of both a
front-end screen (also having the ISP do some screening as well) and a
firewall seemed like a perfectly reasonable request. I think your points
about "current software" "maintained patches", etc. is the key. Having
worked in a couple of major UNIX vendor's operating system development
groups, I know how long it takes to fix, test, and distribute a fix to a
newly discovered exploit. Worse, the exploits are known to all but the
law-abiding customers waiting for the vendor-supplied patches. I know of
one patch from a UNIX/NT vendor that was "pushed" out because CERT
threatened to send out an advisory with a no-known-fix after the vendor
sat on the problem for 6 MONTHS! Seems they couldn't anyone still with
the company that had the knowledge nor would they budget/allocateor time
to learn about the spaghetti that was that piece of the kernel.
So I run BSD variants in front of my Solaris servers ... ;{)
Bennett Todd wrote:
>
> 1999-03-23-20:06:20 [EMAIL PROTECTED]:
> > I've been having trouble finding reliable information about scalable,
> > high-availability firewalls and was hoping some people here may be able
> > to give me some direction.
>
> I'm sure you'll be able to get all the different directions you could possibly
> want hereabouts. For some reason a line keeps going through my head, "a point
> in every direction is the same as no point at all".
>
> > - The firewall will be protecting an externally hosted web service we're
> > developing. High security and high reliability are essential.
> > - The traffic passing through the firewall will be 95% inbound SSL3
> > encrypted web traffic. The remainder would be outbound DNS queries and
> > SMTP traffic, and a small amount of inbound management traffic (VPN or
> > SSH).
> > - The system must be able to accommodate T3 levels of traffic (45Mbps).
> > - The system must have redundancy/failover capabilities.
> > - The system should provide good logging & auditing capabilities.
>
> Are you sure you can't simplify the problem spec a little? If you will
> just specify good hard hosts for your web servers --- hosts running a
> well-supported OS, kept up to date with the latest security patches, with all
> services disabled except only the ones you've named, and running good modern
> well-supported patched-up daemons for those services, why then you don't need
> any protection at all, and you can meet and exceed standards for a good secure
> setup by sticking a router up front with screening rules that allow only the
> traffic you indicated to pass through.
>
> You can configure a couple of Cisco routers that can handle full T3s, in an
> HSRP pair, and call the job done.
>
> -Bennett
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Daemeon Reiydelle
Systems Engineer, Anthropomorphics Inc.
[EMAIL PROTECTED]
(USA) 510-524-0310
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
