[68885] in North American Network Operators' Group
Re: Firewall opinions wanted please
daemon@ATHENA.MIT.EDU (Alexei Roudnev)
Thu Mar 18 01:22:23 2004
From: "Alexei Roudnev" <alex@relcom.net>
To: <bep@whack.org>, <erik@we-dare.net>
Cc: "Petri Helenius" <pete@he.iki.fi>,
"Rachael Treu" <rara@navigo.com>, "Gregory Taylor" <greg@xwb.com>,
<nanog@merit.edu>
Date: Wed, 17 Mar 2004 22:20:51 -0800
Errors-To: owner-nanog-outgoing@merit.edu
>
> And I think you have hit it right on the head...another line of defense.
> Everything I've ever read about security (network or otherwise) suggests
> that a layered approach increases effectiveness. I certainly don't trust
a
> firewall appliance as my only security device, so I also do prudent things
> like disable ports and applications that are not in use on my network and
> enforce authentication and authorization for access to legitimate
services.
Unfortunately, it decreases it.
If I turn off file sharing on Windows server, I'll increase security but
complicate support (in some cases).
If I run ids system, I spend time, verifying and approving changes done by
maintaineers. And so on.
So, it is very important to have a strong FIRST line of defense (inbound
firewalls) and last line (host IDS); it allows to bring little more
efficiency by keeping convenient (but not very secure) protocols inside your
internal network. Else, you end up in full paranoya.
