1999-05-27-17:35:32 David Lang:
> Along the lines of the current discussion of firewall use, I just had a
> interesting reccomendation made to me by a consultant we are thinking of
> hiring.
>[...]
> The thing that puzzles me is that the reccomendation is to OPEN UP THE
> ROUTER so that it only blocks a few ports and have the firewall do the
> rest! the rational is that a firewall is better for security then the
> router and can give me better indications of attacks then we can from the
> router logs.
>
> My reaction is that it is better to try and stop it at both the router and
> the firewall, along with an alarm on the firewall that if it sees any of
> this it means that the router has been hacked, but I would like to get
> some additional feedback on this.
This one has been hashed out at length, and as best I recall the flames just
died out from fuel exhaustion, and the issue was never settled to anyone's
satisfaction. I believe I can restart the extreme views from the debate
pretty clearly, but do remember that many, perhaps most people weren't at
either of the extremes but somewhere in the middle.
(1) Make the barrier so secure that people cannot break through, and don't
bother logging failed attempts. You aren't going to pay attention to those
logs anyway, you don't have the time. Logs just eat resources, add
complexity, and so make your setup more fragile. Ditch 'em.
(2) Log everything you possibly can. Spend whatever resources you have
available on analysis; perhaps you'll catch someone making a serious
attempt before they finish breaking in, perhaps you'll learn enough about
the patterns of traffic banging against your door to quickly notice an
important change, perhaps you'll decide to buy a litter of lawyers, feed
'em plenty of red meat, and sic 'em on the script kiddies just for sport.
Maybe even retroactively. So log everything you possibly can, keep all the
logs forever.
As I review my attempted statements of the extreme positions, I find each of
the extremes pretty appealing. Hmm.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
