Patrick Beart wrote: > At 5:38 PM -0500 3/18/02, Mike Burger wrote: > >> On Mon, 18 Mar 2002, Patrick Beart wrote: >> > > >> >>> >On Sat, 16 Mar 2002, Patrick Beart wrote: >>> > > I'm new to the whole "security" thing, but I've learned that >>> >>a hardware appliance is better than software, if only for the fact >>> that >>> >>someone is technically already IN the machine when they hit the >>> firewall >> >> > >>software. ...snip... >> > > >> > ...snip... >> >>> Having a PHYSICAL device sitting AHEAD of your server(s) is, >>> IMO, far superior to having the "software" sitting in that same >> >> > server box(-es). ...snip... >> > I want the big electronic "bouncer" sitting OUTSIDE my >> >>> virtual house, not in the foyer. >> >> >> You've apparently missed the point that you could just as easily take an >> old PC, install Linux with IPTables and just use it as a firewall, >> outside >> of your servers, themselves. > > > > > Why would I, or anyone, want to dedicate an entire 1U of space (or > MORE!) for a firewall device when my Netscreen isn't any bigger than a 4 > port hub? (about 5 x 6 inches) Seems like a waste of cabinet space to > me, ... unless you're trying to secure more than a full cabinet worth of > servers.
not to step in in the middle of a conversation... but from what I see the low end netscreen doesn't have support for static mapping, or service based filtering. Having an old PC doing your firewalling _as_a_dedicated_device_ is a great idea. If you're trying to secure actual production stuff, low end appliances and old PC's are bad ideas for everyone. Stick to real enterprise products from Cisco and Checkpoint. > > > > >> I'm doing this, here...I have a Pentium 200 dedicated to nothing but >> iptables firewalling, and then I also have some additional iptables >> firewalling on the server, itself. >> >> A little double whammy for the bad guys. > > > > It's also twice the debugging, editing, and troubleshooting. > Enjoy! ;-) and it also follows best practices for security:-) Sure you can make things *simple* so you don't have to think and learn and understand... but you're not going to have a secured network that way. What he's doing with his double whammy is the correct approach. If his network is compromised, attackers have to fight through additional layers of security. Again, best practices! Sounds like all someone has to do with your network is own one machine, and the rest is cake. > > > > > Patrick Beart _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list