1999-03-23-23:15:26 Daemeon Reiydelle:
> Speaking for myself, I guess I prefer a bit of a belt-and-suspenders
> approach, when it is my ass on the line.
That much certainly sounds completely right.
> Hence, the thought of both a front-end screen (also having the ISP do
> some screening as well) and a firewall seemed like a perfectly reasonable
> request.
However, I'm not sure I see this part, if you define a firewall explicitly as
"something more than a screening router".
If you define a firewall as a choke point in network services for enforcing
security policy, or some such abstract approach, then we are in perfect
agreement. I just argue for a router (or HSRP pair or whatever) as the
firewall implementation.
The thing is, the access requirements for a public server are such that a more
sophisticated firewall can't offer any additional protection; the server
proper has to be reachable to do its job, and it can be hardened to include
all protections that could be offered by a separate bastion host firewall. I
just don't see paying the performance hit (or the astronomical cost of
implementing a serious bastion-with-proxies that can cover a server farm
filling a T3 with no appreciable performance degredation) if I can't get any
additional protection or control.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
