At 19:03 01/09/00 +0200, Thomas Lopatic wrote:
>[snip]
>
>Yes, I know a lot about FireWall-1. But let us get back to where we came
>from. To the two lines of defence.
you're right. let's get back to this more interesting subject.
let me first say that I fully agree that
- using multiple hosts is a good thing (independently of defense, so a
cache proxy,
a content filter, ... should not go on "the" firewall).
- multiple lines of defense is a good thing.
however, if we all agree and just sit here, we won't learn the arguments of
others,
which in my opinion are important. Sometimes, one "deduces" a thing using a
bad argument, and the day he discovers that his argument is bad, he suspects
that his "conclusion" is bad too, which is not necessarily true.
so I'm definitely interested in the arguments nehind the multiple lins of def.
since threads got mixed, let me summarize some of the discussed points
- setting up multiple (good) firewalls (one behind the other) limits the
attacker choice.
I agree. but to what extent is this the good choice considering that many
firewalls cost
many money. Isn't it sufficient to hve one FW and watch it carefully? Given
that vulnerabilities
cannot be completely eliminated, by 1 FW or by more, what is the precentage
of vulnerabilties
that an additionnal FW will fix? I don't mean gimme numbers, just a clear
idea. The purpose
is to see whether setting up an additionnal FW is worth the cost.
- I said that adding a new element to the chain may weaken it, and haven't
been clear enough.
I agree that this should be rare. An example: consider a setup of 2 FWs,
where the internal
one has an "unknown" vulnerability, so the security admin doesn't know it.
suppose that an attacker
can use this vulneabiility to get a shell on this FW. Then he will be able
to freely surf the internal network.
Yes, there are many "suppositions" here, but this is definitely possible.
>Otherwise we will still be bickering
>in ten years about whether FireWall-1 is worse than other products.
just a last time. I'd be interested in the "qualities" found during the tests
(I am honest here).
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
