Bennett Todd wrote:
>
> 1999-03-23-23:15:26 Daemeon Reiydelle:
> > Speaking for myself, I guess I prefer a bit of a belt-and-suspenders
> > approach, when it is my ass on the line.
>
> That much certainly sounds completely right.
>
> > Hence, the thought of both a front-end screen (also having the ISP do
> > some screening as well) and a firewall seemed like a perfectly reasonable
> > request.
>
> However, I'm not sure I see this part, if you define a firewall explicitly as
> "something more than a screening router".
I do consider a router using simple rules to be a screening router. (As
separate from e.g. midrange Cisco products that have some level of
firewalling software.
>
> If you define a firewall as a choke point in network services for enforcing
> security policy, or some such abstract approach, then we are in perfect
> agreement. I just argue for a router (or HSRP pair or whatever) as the
> firewall implementation.
>
> The thing is, the access requirements for a public server are such that a more
> sophisticated firewall can't offer any additional protection; the server
> proper has to be reachable to do its job, and it can be hardened to include
> all protections that could be offered by a separate bastion host firewall. I
> just don't see paying the performance hit (or the astronomical cost of
> implementing a serious bastion-with-proxies that can cover a server farm
> filling a T3 with no appreciable performance degredation) if I can't get any
> additional protection or control.
My concern is with the holes that open/develop when someone makes a
mistake, leaves, is replace with a less skilled person, doesn't have the
system down time to apply patches and reboot, etc. Usually some service
that you have to have gets a new vulnerability, some service that you
didn't think you needed gets started, etc.
Stateful inspection is a big win, and e.g. Firewall-1 doesn't take a lot
to protect one OC-3 (Under $10,000 for an Ultra-2, 1 350 mhz processor,
128 mb, a second network card, etc.).
>
> -Bennett
--
Daemeon Reiydelle
Systems Engineer, Anthropomorphics Inc.
[EMAIL PROTECTED]
(USA) 510-524-0310
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
