At 12:43 30/08/00 -0500, Chris Tobkin wrote:
>In my opinion, multiple lines of defense is a good thing, but it doesn't
>mean having multiple firewalls, it means having a quality security process
>that focuses security in multiple areas to defend against attacks. (It's
>not necessarily multiple physically, but moreso conceptually.)
then I agree! However, I don't call this "multiple line". I call this "well
sructured
thinking", but it's just a question of vocabulary, so let it go...
>[snip]
>
>I can't agree completely here.
To tell you the truth, we are too!
this was more of a "provocative" response than a real recommendation.
Even if we forget about the requirements that you cited, I am still not
ready to recommend any commercial firewall.
>Recommending one firewall without knowing
>the requirements is not only an uninformed answer, it's a lazy one. Each
>firewall has its strengths and weaknesses. And, I can think of one or two
>ways to DoS each of them.. Keep in mind, they're software and software
>isn't perfect (neither is hardware)..
I fully agree.
> Security is, IMHO, about mitigating
>risk. By having the layers of security I lised above, one decreases the
>risk of a single vulnerability so your enterprise's security isn't all
>hinged on the quality of one product, in this case, the firewall.
My opinion is that there should be only one firewall, solely used to do jobs
that are not handled by other hosts. then, set up a secure web server, a secure
mail server, ... and let each do their job. so, yes I vote for
multi-host-based-security,
MHBS (anyone to sell this to the press, so that we have a laugh...). this
is just
distributed computing, an old idea. Currently, it is not easy to distribute
security.
but I am certain that if enough people handle it, it'll be done.
regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
