Dave Harris wrote:
>
> I take your point about defense in depth, however, I'm of the opinion
> that routers should route and firewalls should firewall. If your
> firewall can't stop evil packets getting into your network then get
> one that does. Isn't that the point?
I still cringe every time I see this in print. ;)
> Could you tell me your arguments for and against re router filtering or direct me
> to some literature on the subject?
Let me put it to you this way, disk drives are designed to store data
and do a very good job of it. Do you trust having one copy of your
critical files on a single drive or do you make backups, use RAID V,
etc. as extra insurance that your data will remain secure?
The same principles apply to perimeter security. A single firewall
provides a single layer of security. If there are any bumps, glitches or
gotcha's in the code, then you leave yourself vulnerable to attack. I
have yet to see a firewall that has gone through public scrutiny and
come out the other side as 100% perfect and infallible.
By deploying two or more layers of perimeter protection, you hedge your
bets. If one layer has a tiny hole, chances are you can plug it with the
second layer. Also, some security measures (like broadcast mapping and
source routing) are actually easier to deal with at the on a router.
HTH,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
