Actually the Service Provider should be your first line of defense. One
should insist on Access Control Lists on the external connection and then
implement strategic ACL's on the external router.
The internal router should have a different set of filters other than
those ACL's allowing specific implicitly permitted services after the
traffic has been screened by both a firewall and an intrusion detection
system.
Think defense in depth, and zones of control..
It is easy to do, get a big piece of paper, get some crayons, draw a
little circle, then around that draw a bigger circle, etc, etc.
Identify each circle by decreasing value and worthiness of the information
your organization is attempting to protect. The inner circle should be
the most critical thing your organization deems the most valuable thing
the organization has. It could be something like the financial
numbers,etc, etc.
After the circle and arrows are complete, overlay that with your security
architecture.. After the overlay of your security architecture, overlay
that picture with your hardware, after that overlay it with your router
configurations.. Do your router configurations make sense for the
information or asset your organization is trying to protect.? If not seek
the advice of a psychiatrist and pray your boss doesn't find out :)
/cheers
/mark
Unknown <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/12/00 05:32 PM
To: John Adams <[EMAIL PROTECTED]>, "Ng, Kenneth \(US\)" <[EMAIL PROTECTED]>
cc: "'Groth, Daniel'" <[EMAIL PROTECTED]>, "'Firewalls \(E-mail\)'"
<[EMAIL PROTECTED]>
Subject: RE: Content Analysis
At 04:07 PM 3/8/00 -0500, John Adams wrote:
>Filtering router = barely any isolation, just drops packets and you have
>to let large sections of the port space back in so connections work
>(unless using the established keywords under cisco, but a router and
>filtering SHOULD NOT be your first line of defense.)
Actually, Cisco ACL's SHOULD be the FIRST line of defense, and, hopefully,
NOT the ONLY line of defense. Defense in depth is a great concept.
-Igor
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
