Mickey, Your exactly right about that as well.
If you understand the risk, implement and secure to minimize your vulnerability, then all is good. What I mean by that is if you've got 1000's of web servers and are using "faster" non-proxying firewalls, then you need to understand that those web servers may get exploited in the future, even the proxied ones might. If these web servers do not contain anything but your public information and you implement and secure with this in mind then you are limiting your exposure to the risk. A product like Tripwire could tell you if anything changed. If you get hacked what's the worse thing that could happen? A defacement. No credit card numbers, social security names, account numbers, salaries, customer information, nothing needs to be out there. In addition, I could still use a more secure firewall between my enterprise and this service network. Especially if the web servers are coming inside to gather information to send back outside. Phil ----- Original Message ----- From: "Mickey S. Olsberg" <[EMAIL PROTECTED]> To: "'Phil Kramer'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, October 01, 2001 2:01 PM Subject: RE: Hardware Firewall vs Software Firewall > I agree wholeheartedly with Phil's opinion, but would add one note. The > only case in my opinion which justifies the speed over security is > very-high bandwidth applications, such as a certain place I know that > contains 36,000 nodes behind its firewalls. Still, you must weigh the > need for security against the need for speed, and security should > *always* win. > > Mickey ----- Original Message ----- From: "Mickey S. Olsberg" <[EMAIL PROTECTED]> To: "'Phil Kramer'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, October 01, 2001 2:01 PM Subject: RE: Hardware Firewall vs Software Firewall > I agree wholeheartedly with Phil's opinion, but would add one note. The > only case in my opinion which justifies the speed over security is > very-high bandwidth applications, such as a certain place I know that > contains 36,000 nodes behind its firewalls. Still, you must weigh the > need for security against the need for speed, and security should > *always* win. > > Mickey > > -----Original Message----- > From: Phil Kramer [mailto:[EMAIL PROTECTED]] > Sent: Friday, September 28, 2001 8:23 PM > To: [EMAIL PROTECTED] > Subject: Re: Hardware Firewall vs Software Firewall > > > My personal opinion is not hardware vs software, but what firewall is > most secure. You can talk about PIX, CheckPoint, Linux with IPtables, > IPchains and IPfilters but from a security point of view a pure > application proxy is more secure. How many people can notice a 20 ms > pause? If you want speed get a router with ACLS, that's what PIX is. > All these stateful inspection/packet filter technolgies work at too low > a level (layers 2-4) to provide enterprise security. For web servers, > mail servers etc. you need layer 7 checking. > > Phil Kramer, SANS GSEC > Systems Solutions Technologies, LLC > Phone: 615-646-5766 > email: [EMAIL PROTECTED] > > >
