Hi,
>>My two cents relating to firewalls:
>>1) To me, the degree to which firewalls keep away hackers is somewhat
less
>>relevant. For the most part, they all do what they are supposed to in
>>regards to telling a hacker, "hey, at least we've got something in
place."
>>(before you hammer me on this one, I am talking 'in general' and
'overall')
>
>keeping hackers out of the way is the most relevant thing for a FW.
I think he meant that, "in general", *any* firewall does the task of
keeping hackers away. Some firewalls are perhaps more successful at this
than others, but typically "keeping bad people out" is no longer a factor
in determining which firewall to choose.
>>2) Better to look at performance(throughput,etc), concurrent sessions,
>>manageability, scalability, and the ability to integrated with other
>>security modules. THIS is where you will find the right firewall. Few
things
>>are worse than a firewall that is unfriendly to manage.
>
>then why have a FW. a fast router is far better!
>a unfrriendly but effective FW is still better than a friendly open hole.
The point is, if a firewall is friendly to manage, it's much *less* likely
to be an open hole, as we're already continuing on the assumption of point
#1 above that all firewalls can keep bad people away. A firewall, or even a
screening router that is unfriendly to use is much *more* likely to have an
open hole, making it less effective at being a firewall. Therefore, having
a router instead is NOT better. Assuming that all firewalls do the job of
blocking traffic well, when properly configured, the factors that THEN
determine which one to chose are these: throughput (which is impacted by
the inspection of packets, NAT, VPNs and other functions common to most
firewalls today), concurrent sessions, ease-of-use, and scalability.
>Statistics are an old silly game. you can "prove" whatever with numbers,.
>cos' they are easily subverted and people like to see/hear things that
call
>their emotion instead of their brain. but the truth is elsewhere...
I hate math, and agree with the adage that I only trust statistics I've
made up myself, so I'll leave this one.
>>4) ALL connected stand alone firewalls are hackable. Yes all.
>
>ALL sentences that are that general are untrue (this applies to this one!)
Actually, I would agree with point 4, because I don't believe anything is
impossible. Highly improbable, but not impossible. Therefore, there is no
such thing as a "secure" system (especially if it's connected to the
Internet!). So if there is a system that proves # 4 false, I'd love to know
about it.
>>5) A firewall should NEVER be left without a co-existing IDS solution,
>>especially if one is 1/2 way serious about securing and managing the
>>network.
[...]
>I'm not saying an IDS is useless, bad or anything like that. just saying
that
>the truth lies in the middle. it's good for some, useless for others.
Based on what? Can you provide some examples of when an IDS is *not*
useful? That is, assuming it is properly configured, as we're assuming the
firewalls are properly configured. When would you NOT want to know that
someone was breaking into, or had broken into your network?
Mark
----------------------------------------------------------------
Mark Boltz Stonesoft Inc.
Network Security Specialist 115 Perimeter Center Place
[EMAIL PROTECTED] South Terraces, Suite 1000
Tel: +1 770 668 1125 Atlanta, GA 30346
Cel: +1 404 386 8500 USA
Fax: +1 770 668 1131 http://www.stonesoft.com
Support: 1-866-435-7324 (US Toll Free)
Support: 1-678-259-3400
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
