[68796] in North American Network Operators' Group
Re: Firewall opinions wanted please
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Tue Mar 16 21:39:12 2004
To: Nicole <nmh@daemontech.com>
Cc: nanog@nanog.org
In-Reply-To: Your message of "Tue, 16 Mar 2004 14:27:16 PST."
<XFMail.040316142716.nmh@daemontech.com>
From: Valdis.Kletnieks@vt.edu
Date: Tue, 16 Mar 2004 21:38:36 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_2134986584P
Content-Type: text/plain; charset=us-ascii
On Tue, 16 Mar 2004 14:27:16 PST, Nicole <nmh@daemontech.com> said:
> From what I have heard a proxy firewall would be best?
I'll go out on a limb here and say that the actual make and model of the
firewall don't matter anywhere *near* as much as a proper understanding on the
client's part of what a firewall can and can't do.
It can let you know when somebody's poking at your site. But it can't do it on
its own, somebody *will* have to read the logs (even if you use a good
log-filtering package to trim out all the true noise).
It can't automagically secure your site. All it takes is *one* laptop or VPN
connection to the "inside" from a compromised machine and you're history.
The most successful firewall installs I've encountered have invariably
considered the firewall not as a "prevention device" but as an "IDS with a bad
attitude". A firewall is *never* an acceptable substitute for proper end-host
security procedures - the end host *must* be fully prepared to deal with a
total breach of the firewall (remember - a firewall will never stop a
disgruntled employee).
--==_Exmh_2134986584P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAV7oscC3lWbTT17ARApnMAJ9hmCa1b6yr9LTuS2RfzHZOIQiUFwCdFqyQ
nJF1aMUpF+6xz63nOphW2O4=
=VqlB
-----END PGP SIGNATURE-----
--==_Exmh_2134986584P--
