On Fri, 5 Apr 2002, Georges J. JAHCHAN, P. Eng. wrote: > Stateful packet inspection is nowhere near enough protection, especially if > "holes" are poked through the firewall to allow public access to services in > a DMZ.
In this case: > > A stateful firewall will allow malicious packets to make it to a vulnerable > server. It inspects the packets up to layer-4, ignoring the "payload" which > extends to layer-7. To offer real world protection, a stateful packet > inspection firewall needs to be supplemented by one or more of the > following: 0) Hardended, trusted or well configured servers. > > 1) Network intrusion detection system. > 2) Server intrusion detection. > 3) Content checking proxy (html, email, etc...) > 4) Application-level firewall (such as SecureIIS for MS IIS). > 5) Network anti-virus protection. > 6) Desktop anti-virus protection. > 7) Firewall at the desktop. Most of these, save perhaps IDS are pretty much necessities of any normal business network these days (assuming "Network anti-virus" is AV at a gateway.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions [EMAIL PROTECTED] which may have no basis whatsoever in fact." _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
