On Wed, Jan 31, 2001 at 09:09:14AM +0800, Ju Kong Fui wrote:
> I am new to firewall and I wonder why we need a firewall behind perimeter
> router? As what I know it that we can filter most of the malicious traffic
> using perimeter router itself, for example Cisco router with IOS.
Well, strictly speaking the perimeter router is, especially if it is a
filtering one, part of the Firewall System. On the Perimeter Routing you can
do filtering for IP-Spoofing and black-listed addresses (if you have any).
If it is enough to have a CISOC Router with Firewall IOS, doing ACLs on
Packet filtering or if you need a more complicated Firewall greatly depends
on your security policy (which in turn depends on the risk analysis you
should do).
Things you might need:
- Content Filtering (Malware Protection)
- Incoming connection authentication
- Web Proxy+Cache
- Protocol specific Filtering (like SMTP Buffer Oveflows or FTP DELE
Staememnts).
The later is most important if you can't trust your Servers to be hardened.
In any case I would suggest you on't let any incoming connections into your
LAN where you dont have control of the configuration of your hosts. This can
be done by a Firewall or simply by a masquerading Router. In the later case
you need to take special care of some protocols like FTP or simply don't
allow anything which is more complicated.
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
