Marcus,
So I guess what you're saying is we're all doomed? ;-)
Firewalls do logging, etc., which routers generally don't. I think this
is at least half the value of a firewall. That said, your point about a
firewall providing no better protection than a well configured router is
well taken. However, the vast majority of the people responsible for
network security have neither the time nor the skill to do that kind of
configuration. Yes, that's a sad state of affairs, but I don't think
that as a result we should all lie down and wait for death. We'll make
do with what we have, even if it's not the best.
Ultimately, I think what most of us on this list are after is a degree
of acceptable security, not absolute security (which I'd argue is not
possible). Saying that we need to use protocols designed to be secure
is a nice ideal, but it's not practical -- what we actually need is to
bring in revenue, which always entails risks.
This isn't a pessimistic outlook, just a pragmatic one. Security is
about improving the odds, not removing all risk. So when we discuss
things like allowing DCOM (or allowing modems behind the firewall) --
sure, it's good to point out reasons you wouldn't want to do this. This
info might even help someone convince management not to do it. But, in
the end, if the business decides to go forward with the plan even
knowing the risks, let's help the poor person who's stuck with a bad
situation make it less bad.
As an aside, here's something to ponder: Yes, it's sad that most folks
responsible for security aren't experts. But are sophisticated hackers
multiplying at a greater rate than expert security professionals? Or are
they mostly novices, too? I suspect that, to a large degree, what we're
using firewalls to protect against is hacker tools. Kind of ironic,
isn't it? We have security tools for novices to protect against hacking
tools for novices.
Jen
P.S. I fall into that category you despair over -- a novice who's doing
security (actually, I'm worse -- I'm a manager of novices doing
security). There's no way any of us could configure a router to be more
secure than our firewall is (or should I say to be less insecure than
our firewall is?). But I'll bet our network is more secure than most.
Scary.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
