my two cents...
Cisco PIX with three (or more) legs ... use a proxy server(s) in the dmz to
proxy the http and ftp requests for the clients in the inside.. put your
web server(s) there too or in a second dmz at a lower security level...
cisco's mailguard feature does a pretty good job of restricting the number
and type of attacks via email; the pix can also be set to block activex...
remember to keep the OS's of your various machines up to date with the
latest security patches, etc.
the cisco pix is fast, and can be setup in a failover configuration.
there are other, arguably better (remember there are religious opinions and
there are computer opinions, and I can't tell the difference in terms of
excitability, volume, and basic rhetoric; I can only tell the difference if
I get to hear the actual words and sometimes not even then.), firewalls, but
you have to make a judgement based on cost of protection versus cost of
upkeep versus cost of failure versus types of failure versus ..... i.e., you
need a security policy first, and then buy/build firewalls / proxies / etc.
to enforce that policy. Part of the policy should place a dollar value on
various bad things happening: denial of service, detected intrusion,
undetected intrusion, virus infection, ....
-----Original Message-----
From: Ashley Culver [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 08, 1999 11:55 AM
To: [EMAIL PROTECTED]
Subject: Re: Enterprise level Firewalls: Thanks for the advice everyone
Hi,
Just to say thanks for all the advice people have sent me regarding my
question on Enterprise Level Firewalls. It's been an interesting read and
I'll admit I've yet to fully digest it all !
This is probably a familiar situation to a lot of you but as I get deeper
and deeper into the planning of this Firewall it has thrown up so many
questions and issues regarding the network as it currently stands. I've
realized I've got stacks of things to sort out in terms of the network
before I even start to think about a choosing a product. Cabling
infrastructure, IP number allocation to different departments, rationalizing
naming conventions, physical network maps... phew - it's going to be a long
one !
Anyway, I've been greatly encouraged by the response I've had. Not all
mailing lists are half as helpful. I hope I'll be able to contribute my
little bit once I've climbed that learning curve a bit more !
Cheers
Ashley Culver
Cambridge
UK
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
