On Tue, 5 Jun 2001, Brooks Carlson wrote:
> I am currently using IPCHAINS as a firewall/packet filtering security
> measure
> for our company. Do most people use a packet filtering system in
> conjunction with
> a proxy application level security measure?
> -
"Most people" probably isn't the best security metric. I'd say that "best
practice" is the concept of Defense in Depth, and that people practicing
DiD tend to like to have multiple layers of protection operating at
different layers in the stack in conjunction. The flexibility that being
able to operate on SMTP and HTTP streams for things like active content
gives you is fairly important if the list of things you want to e able to
protect from is anything significant. Also, if you're at all worried
about trojans, requiring application layer gateways will stop everything
that doesn't tunnel over one of the allowed protocols- that can be a
lifesaver for things like trojans that use IRC for instance.
Personally, I'd be very hard pressed to take responsibility for a network
that didn't have application layer gateways as an integral part of the
security infrastructure.
The "correct" method is to write a security policy based on level of
protection, business needs, and risk the company is willing to take, then
put in the right assetts to provide the level of protection necessary to
provide the security/functionality balance appropriate for your
organization. My bet is that just thinking about that is further than
"most people" go these days though.
Doing a formal "written policy" is helpful though. Seperate out usage,
implementation, risks and requirements and you'll have a good start on
lining up what's necessary to provide protection, and what kind of
protection you can afford to spend time on.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
