>Using a firewall, you add a layer of security, even if it's not
>perfect. For example, you can specify what addresses are allowed to use
>the protocol, and also the direction of communication (I believe the
>original poster wanted to be able to use DCOM outgoing, not incoming).
>While this isn't perfect, I hope you'll agree that it's far better than
>having no firewall at all.
Agreed, but if you're going to use your firewall like a glorified router,
you might as well just be using a router. ACLs (especially Cisco's
reflexive ACLs) could support your DCOM application just as well as a
firewall. I'll submit that firewall logging can provide you with useful
knowledge about your network, but otherwise your firewall isn't really
adding any value. The firewall's "layer of security" becomes increasingly
thin.
Indeed, if there's one common theme running through these various and
sundry posts, it's that perimeter security alone isn't enough to provide
acceptable security. The explosion of new, complicated and untested
protocols complicates the firewall's job. This, coupled with the vendor
rush to "support" all of these new protocols, IMHO results in watered-down,
least-common-denominator products. ("What, your firewall doesn't support
the new FOOBAR.32359846736 Bitwise Inverse Transient Data Punch-Through and
Corruption Protocol? Well, we're not going to buy it unless it does!")
So, do the best you can with the firewall you've got, but at the end of the
day you're still going to have a gap. You'll have to use other tools (host
security, application security, data and/or network encryption, strong
authentication, additional filtering, app proxies, any or all of the above)
at the client end and the back-end to close that gap.
Maybe it's time we renamed the list "General-Purpose Network Security"
instead of "Firewalls." Think GNAC will go for it?
My 0.019999998 cents worth (Pentium Error)
Regards,
Christopher Zarcone
Network Security Consultant
RPM Consulting, Inc.
My opinions are not necessarily the opinions of my employer
#include <std.disclaimer.h>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
