On 12-Apr-99 at 16:09, Gary Maltzen ([EMAIL PROTECTED]) wrote:
> I would think that using a single firewall server (especially one running
> any other Internet client or server app) would be less secure as it only
> requires a single fault to compromise your entire intranet.
Firewalls are not a "one-size fits all" kind of thing. A firewall with
3 interfaces that can be managed by someone in their available time is
better than two seperate firewalls and a DMZ which the person responsible
does not have time to manage.
I agree, I like the idea of two firewalls from different manufacturers
to limit exposure. Many places don't have the time or the money to
have someone competant on two systems. It is obviously much easier
to learn one. I would seriously consider an arguement that said two
firewalls from the same company is not significantly more secure than
a single firewall with 3 interfaces.
Now, I would very much discourage having the firewall do any more than
is absolutely necessary. For example I would be much more comfortable
with a locked down DNS in the DMZ with all the goodies turned off than
having my firewall access my internal DNS server.
The biggest thing to remember is time to manage your servers very much
decides what you can do. If your company can afford to spend big
bucks on firewalls but can't afford to have someone spend the extra
time a simpler solution may be a better solution for their particular
situation.
Roger Books
-------------------------------------------------------
| Unix sysadmin, Unix group | (850)921-0729 |
| Information Technology Program | |
| Dept of Mgmt Services | |
| State of Florida | |
-------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
