horio shoichi wrote:
>
> Mikael Olsson wrote:
> >
> >
> > By the way, this is the kind of firewall that I like. Separate
> > machines are great. I spit in the face of all do-everything-on-the-
> > same-machine type guys! Pah! :) :)
>
> Recently, I came to think 3 NIC firewall is not as bad as I originally
> thought. As I read your message, 3 NIC firewall is a do-everything-on-
> the-same-machine, (I hope correct). So I borrow this opportunity to
> what you experts think about my idea.
No, not completely correct.
[Here, "firewall" refers to one single machine. Gotta love
well-defined technical terms. :P ]
I wasn't complaining about 3 NIC firewalls. I think firewalls
with many NICs are great; they make for easy zone separation.
My favourite is where you put each and every server in its
own zone and completely lock down what each server may do..
This assumes that the firewall itself is safe enough, and
that the rule set allows this kind of configuration without
becoming dangerously complex, which would make for
configuration errors.
A multiple NIC firewall isn't what I call "do-everything-on
the-same-machine", really. All such a machine does is filter
traffic, albeit with more NICs.
(However, there are of course situations where multiple
firewalls are better than one firewall with many interfaces,
but this is judged on a case-by-case basis.)
What I _don't_ like is firewalls where you've got a bazillion
lines of code and several hundred processes running. The more
code, the more opportunity for error. Even if you can verify that
each process is secure in and of it self, you can end up with
situations where two or more processes/applications interact
badly with eachother, or with the firewall core processes, or
with the file system drivers, etc, etc, creating security holes
that neither developer had originally thought possible.
_That's_ what I call "do-everything-on-the-same-machine".
Regards,
Mikael Olsson
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
