At 14:58 18/04/01 -0400, Day, Kenneth wrote:
>Hello all,
>
>I've seen a lot of questions regarding best firewalls, etc...Much of this
>may not be anything new (-so call me Columbus); however, sometimes it is
>best to look at the basic facts of what a component can or is needed to
>do...
>
>My two cents relating to firewalls:
>1) To me, the degree to which firewalls keep away hackers is somewhat less
>relevant. For the most part, they all do what they are supposed to in
>regards to telling a hacker, "hey, at least we've got something in place."
>(before you hammer me on this one, I am talking 'in general' and 'overall')
keeping hackers out of the way is the most relevant thing for a FW.
>2) Better to look at performance(throughput,etc), concurrent sessions,
>manageability, scalability, and the ability to integrated with other
>security modules. THIS is where you will find the right firewall. Few things
>are worse than a firewall that is unfriendly to manage.
then why have a FW. a fast router is far better!
a unfrriendly but effective FW is still better than a friendly open hole.
>3) Note- Firewalls address 20% to maybe 35% of the potential security
>threats to a company.
Statistics are an old silly game. you can "prove" whatever with numbers,.
cos' they are easily subverted and people like to see/hear things that call
their emotion instead of their brain. but the truth is elsewhere...
The real thing is that it all depends on what you count among what.
Firewall addresses 100% of the threats that it is designed and configured
to guard against. if you count all possible things that may be considered
security threats, then it'll hardy address 1%!
(If counting: physical security, host security, employee attacks/threats,
....).
>4) ALL connected stand alone firewalls are hackable. Yes all.
ALL sentences that are that general are untrue (this applies to this one!)
>5) A firewall should NEVER be left without a co-existing IDS solution,
>especially if one is 1/2 way serious about securing and managing the
>network.
I've heard this a lot of times. This means that marketing people from
IDS vendors have done a good job at convincing people their product
is necessary while it is not.
Using an IDS will never be a requirement for network security. if you need one,
use one. if you need one but don't have the resources to use it
effectively, don't use one. if you don't need one, don't use it!
I'm not saying an IDS is useless, bad or anything like that. just saying that
the truth lies in the middle. it's good for some, useless for others.
since numbers seem attractive, I'll say that 95% of the connected companies
do not need an IDS and won't benefit from one.
>Bottom Line:
>Companies must eliminate the mindset that any one firewall is their answer
>to being protected. It takes a combination of different software, hardware
>and good people that want to continue to learn.
I fully agree.
cheers,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
