1999-03-24-05:02:41 Daemeon Reiydelle:
> I do consider a router using simple rules to be a screening router. (As
> separate from e.g. midrange Cisco products that have some level of
> firewalling software.
So you are defining a firewall by some specific criteria that include "not a
screening router". That's the most fundamental point where we disagree:-).
> My concern is with the holes that open/develop when someone makes a
> mistake, leaves, is replace with a less skilled person, doesn't have the
> system down time to apply patches and reboot, etc.
That's a real problem. Sadly, a more expensive and cumbersome firewall won't
help you a bit; you still have to let the traffic through for the server to do
its job. To protect against the kinds of problems you get when people make
mistakes configuring the servers, or when they fail to maintain them properly,
all you can do is audit them closely, and take great care in backing up their
content. You should be able to rebuild any server from brand new hardware
using on-line resources which are protected inside your bastion host, and your
server content update procedure should be doing some validation of the
existing configuration --- tricky to get right, impossible against a
sufficiently sophisticated attack by someone who has completely violated the
public server. But it's the only approach that will help.
> Usually some service that you have to have gets a new vulnerability, some
> service that you didn't think you needed gets started, etc.
If the new vulnerability is on a different port, or is a new service, the
screening router will work as well as a stateful firewall for blocking it. If
it is a vulnerability to some specific content in a port that needs to be
open, your stateful firewall will still let the previously-unanticipated evil
content through to wreak its havoc.
-Bennett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
