On 08/01/02 02:29 +0200, Omar Koudsi wrote: > But according to you, which is more important? Paying attention to > having great firewall with a great ACL more than hardening and patching > the systems? Or not have to worry about the firewall or having one at > all and concentrate on applying best practices to OS/APPS and making > sure the OS/APPS is up date on patches? I would say, hardening the boxes. It does not matter how great your firewall is, if your publically accessible IIS server is still unpatched, you are toast. The firewall provides security in depth, and removes a lot of load from a lot of systems and concentrates it in a single point. This lets your systems get on with their job of serving data/whatever, without having to worry about packet filtering.
Another advantage of a firewall is that is provides for a centralized source of logs, and a single point of failure. This makes the administrators job easier, not having to correlate logs from a few dozen sources, but only one or two. As usual, I personally would recommend a generic tight ruleset on the firewall, particularly on the antispoofing front. You have a local firewall on each box that is tightly locked and allows access to only public services from particular ips. These services are fully patched and hardened. > In the unlikely event that you had to choose one over the other (or some > people would argue that this is a reality since time is limited and you > can really concentrate on one) , which one would it be and why? A firewall with good antispoofing rules, and blocks for common attacks with a default DENY policy, backed up with fully patched systems and local firewalls with very strict policies. Devdas Bhagat
