At 18:42 21/08/00 +0200, Mikael Olsson wrote:
>mouss wrote:
> >
> > I can :)
> > A firewall is a system based on hardware and or software and designed
> to help
> > you protect a network. It is a tool that performs access control to allow,
> > reject or
> > alter packets going through it. The access control may be performed on the
> > IP packet headers, on TCP/UDP/ICMP/whatever headers, and/or on data.
>
>Can I have a shot, too? :)
yes, everyone can join. beers are in the fridge.
>I'd say that the definition is actually closer to "A firewall is a system
>or collection of systems designed to enforce a security policy."
That's an acceptable one too. After all, there's enough space in this world to
make everyone happy.
you can reread mine in your sense. just define the meaning of "protect the
network"
to be the same as "make access to your network compatble with your security
policy".
Note however that our definitions are not the most used in this world. The most
used definition is: a firewall is a system that enables some companies to
adequately earn money by selling inadequate solutions to inadequate users
at inadequate prices, and then selling inadequate maintenance...
>There's nothing in any firewall definition that says that a firewall has
>to look at IP, TCP, etc, etc and/or modify, or selectively drop packets, or
>anything at all.
no, but there's nothing that states the opposite, which is why I said
_may_, not _do_.
>If your security policy states "anything can get into our network, as
>long as we know what it is, so that we can manually counter attacks
>later on", your "firewall" could consist of packet sniffers placed
>at all points of contact with other networks (such as the Internet).
Actually, this is a fully reasonable way to protect the network without
reducing the performance, although many people won't chose this
model as it requires some administration work.
just harden all the hosts, backup data periodically, ....
>And, to go the other way, a "firewall" may also be something like:
>Two dynamic packet filters creating a DMZ, in which a bastion host
>is located to handle proxying to the outside world. In addition to
>this, we've got a third dynamic packet filter connected separately,
>having three interfaces that implement a second DMZ where incoming
>mail is handled by our anti virus scanner. All the machines I've
>mentioned in this paragraph are part of the firewall.
or, the firewall may be the the whole internet. It then protects us from
any packets
that may be sent from other planetworks. Though no one has ever seen some,
one never knows, and we ought to protect ourselves :-;
>By the way, this is the kind of firewall that I like. Separate
>machines are great. I spit in the face of all do-everything-on-the-
>same-machine type guys! Pah! :) :)
yes, it is hardly understandable to see people seeking a single host to do
everything (how many customers have I heard who wanted the http proxy to do
caching.
and when the answer was not, the next question was "can I install squid on
the firewall".
I still don't know if the right answer is "yes, you can even install
windows", or is it
"no, but we can do that for you, for a few $1000"?), when the internet
itself is about
using multiple hosts to do anything.
></rant mode off>
fwsh#
This is Tex 3.141592.
Warning: '<' used while not in math mode.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
