I fully agree with your view, and for many reasons.
First of all: there's a very healthy concept called "defense in depth", if
your only security barrier is your firewall and it becomes compromised; how
will you notice?? The hacker will surely clean out his track.
Furthermore, if there's a mistake in your configuration and some port is
open, then other component (the FW or the router) will cut the way.
Finally, NEVER trust the whole of your security to a single provider or
individual, let them provide you with products and help you config them; but
keep to you and yours to set-up the security ARCHITECTURE. Like a door with
many locks and keys.
Brgds // Alvaro.
-----Original Message-----
>Along the lines of the current discussion of firewall use, I just had a
>interesting reccomendation made to me by a cunsultant we are thinking of
>hiring.
>
>the existing situation.
>
>for our web servers we have a screening router with _very_ tight filters
>(allow port 80, 443 to all machines, DNS to one, SMTP to another)
>
>We are wanting to add intrusion detection to this so are planning to put a
>firewall.IDS machine between the router and the switch.
>
>The thing that puzzles me is that the reccomendation is to OPEN UP THE
>ROUTER so that it only blocks a few ports and have the firewall do the
>rest! the rational is that a firewall is better for security then the
>router and can give me better indications of attacks then we can from the
>router logs.
>
>My reaction is that it is better to try and stop it at both the router and
>the firewall, along with an alarm on the firewall that if it sees any of
>this it means that the router has been hacked, but I would like to get
>some additional feedback on this.
>
>David Lang
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
