-----BEGIN PGP SIGNED MESSAGE-----
Along the lines of the current discussion of firewall use, I just had a
interesting reccomendation made to me by a cunsultant we are thinking of
hiring.
the existing situation.
for our web servers we have a screening router with _very_ tight filters
(allow port 80, 443 to all machines, DNS to one, SMTP to another)
We are wanting to add intrusion detection to this so are planning to put a
firewall.IDS machine between the router and the switch.
The thing that puzzles me is that the reccomendation is to OPEN UP THE
ROUTER so that it only blocks a few ports and have the firewall do the
rest! the rational is that a firewall is better for security then the
router and can give me better indications of attacks then we can from the
router logs.
My reaction is that it is better to try and stop it at both the router and
the firewall, along with an alarm on the firewall that if it sees any of
this it means that the router has been hacked, but I would like to get
some additional feedback on this.
David Lang
"If users are made to understand that the system administrator's job is to
make computers run, and not to make them happy, they can, in fact, be made
happy most of the time. If users are allowed to believe that the system
administrator's job is to make them happy, they can, in fact, never be made
happy."
- -Paul Evans (as quoted by Barb Dijker in "Managing Support Staff", LISA '97)
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQEVAwUBN02CaD7msCGEppcbAQHWNggArrlDPOGDa69aY4uS38Jqg95UT4Dr9XGW
Wloy1iwzvS6qYdbqyq1qjjAxJcHE6Y34Qfh8dtiY48A8hvU9m1TvrWUFVXo+ua3e
xU/gxm6KnWfTczqFpus2BMcbdweT/NJmEErzzvxYLpnp2dEKMWo5CLtm67U3C2By
mEd6ZfFDFlYi7qzDax8S0Cya4I2d9g+z66zKiFPGyC+fgjRjYpfiPOiBmd1ORNJZ
si19ldjqMfdBm1QxyUFlL0B+ar82n5BtJokQVWL9m+rgv4vK98rqj4OYUv7kCK6K
jqIRqcF8JeOtHfaErOnbKl12x8Q2T/vBgRoz5otCPmQdPfGyJj4PAw==
=u68o
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
