-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
One fundamental must remain in our minds: a firewall does not a
security policy/secure network make. Pretty much anything allowed
through a firewall can be abused to some extent, if the firewall is
your sole focus.
There are, in simplest terms, two basic parts to "securing" a
network. Denying what you can identify as needing to be denied (based
on known ports, traffic types, protocol type, commands, "signatures",
you know the drill), and watching/logging everything else you can't
identify (*anything* tunneled could possibly qualify). Bear in mind I
said "simplest terms;" there is nothing simple about the actual
implementation, except in comparative terms.
Uncompromised, properly configured firewalls stop certain types of
traffic with certain protocol characteristics, and nothing more. What
they can't identify as "bad" gets passed, and we have to use policy,
multiple barriers, sniffers, IDS signatures, log analysis and
trending, hunches, good old common sense, and sometimes just a little
luck to do the rest of the job. Different firewalls do different
things to different degrees. The trick is to know what you're
*really* stopping with "Firewall X," and treat everything else as a
possible suspect when the time comes.
At the risk of flames, please can this thread die? TIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
R. Michael Williams
Senior Network Consultant
Inacom Information Systems
Nashville, TN
- -----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Ron DuFresne
Sent: Thursday, April 20, 2000 7:07 PM
To: aaron
Cc: Firewalls
Subject: Re: ssh defeats the firewall
hasn't it been argued in other threads, somewhat differently that
firewalls are not ment to control insude users so much as to prevent
outside abuse, and that inside use is best constraigned by HR?
Thanks,
Ron DuFresne
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>
iQA/AwUBOP++gleNe+8UfuD4EQJBFQCfQt3c5fI3e5L93+/1rInOhpi28SEAnikw
IFdAcesXX1janc157P6SZ5PX
=GF2a
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
