On 28/11/02 09:23 +0530, [EMAIL PROTECTED] wrote: <snip> > > 2. What are the application/software required to be installed? > Again, if you are running a separate box as the firewall , then *no* app > shld be installed except for the firewall. What about application proxies? SOCKS? I would definitely consider proxies as part of a firewall (OSI layer 7). If you mean a firewall only as a stateful packet filter, then yes no applications should be running there. But if you consider a firewall as a security system, then application layer proxies should be included in too. The best packet filter in the world will not protect your unpatched public Apache box from being exploited. OTOH, breaking into a patched Apache box is a different issue. Security is a process. Defense must be in depth. ACLs on the edge routers to prevent RFC 1918 addresses from entering your network, egress filtering, SPFs to reduce noise close to the edge, Application layer firewalls defending applications, secure code in the applications themselves, encrypted network communications, IDS, clued up users..........
The ultimate firewall of course, is secure code, running on a physically secure machine, with level 8 security in place. Firewalls as a bandage for bad code are a bad idea. Properly used to segment networks with varying security requirements, they can be useful. Devdas Bhagat