I've been listening to this debate for years and have to add the one ruling factor that reality always requires: Money.
Firewall: Box costs money. (Maybe not as much as you think... ranging from a silly Linksys Router to a Cisco state of art, plenty of room in there for an older box with a hardened Linux or BSD load) Administering the box costs money. Some admin with a clue and time, depending on what you got for a box. That Linux box would occupy an intermediate level Linux admin heavy for a month or so, then fade off as they got a handle on things and the box up and running. Keeping the box current. You could almost shove that on the admin's plate, if they have time to read news groups, and WebPages and get the lowdown on new problems. Hardening: Most patches are free. (To download). Now, depending on how many machines we are talking about, get your one admin, or your small horde of helpdesk out there patching machines with the tested in the lab patches. Money for the horde, money for the lab, money to run the lab, money to pay the horde or admin to test the patch against your lab system for problems. More money for an admin or two to keep abreast of what new patches are out there to fix the fixes and keep the patches current. End effect, the firewall is prolly cheaper to implement in a big environment, more expensive in a small one. One layer defense means it's a wet paper towel for a shield, but you'll prolly know they got through or at least that they are trying. Hardened is more expensive in a big environment but cheaper in a small one, but if you miss a box, it will take time to escalate privileges to island hop the system. Prolly won't know they are banging away at you or got in, though. And that's only outside attacks. I'll be a monkeys uncle if an awful lot of exploited boxes didn't get nailed because Joe User ran that cute mole-bashing exe he got from Uncle Louis, you know, the one with the NetBus attached to it. If you aren't blocking outgoing, or at least monitoring it, you'll only know you've been had if someone complains about you the next time a DDoS happens and you are one of the IP's or that really great invention gets patented by someone else. Is anti-virus/Trojan software considered hardening the systems? Add cost of software. Tiny personal or Zone Alarm are hardening because they are on each box, right? Okay if you know what you are doing, that kind of cheating the firewall/hardening question can work if you are small, but the bigger you are, the more likely you'll have users that will just click the "Allow this program to act as a server" or the "let this protocol on port 12345 through always". Big. Cheaper and better to use dedicated firewall. Or better, a couple threat domains with a number of firewalls. Little. Cheaper to patch the boxes and maybe nmap or nmapnt a couple times a week. Best answer: Both, to varying degrees, within various threat domains. All systems: Run a good antivirus. Do good, comprehensive back-ups often and TEST them to see they worked. Moral: Its money that's the deciding factor, 99% of the time. Which domain of the CISSP covers the fact that back-ups protect your investments? Dave Systems Engineer MCSE/CCNA/SSP -----Original Message----- From: Omar Koudsi [mailto:[EMAIL PROTECTED]] Sent: Monday, January 07, 2002 6:30 PM To: [EMAIL PROTECTED] Subject: Hardening VS firewalling ? OK, I know this is more of a theoretical debate, because in reality we are able and should do BOTH. But according to you, which is more important? Paying attention to having great firewall with a great ACL more than hardening and patching the systems? Or not have to worry about the firewall or having one at all and concentrate on applying best practices to OS/APPS and making sure the OS/APPS is up date on patches? In the unlikely event that you had to choose one over the other (or some people would argue that this is a reality since time is limited and you can really concentrate on one) , which one would it be and why? Regards, ----------- Omar Koudsi IT Architect Network Security Center Special Systems Company http://security.sscjo.com [EMAIL PROTECTED] Tel: (9626) 5664221 Fax: (9626) 5681557