>> Brian E Carpenter wrote: >> There is no defence against misconfigured routers, except >> for well configured routers elsewhere.
> Pekka Savola wrote: > For example, for some services I maintain, I have: > - TCP wrappers configuration in the host/service itself, > using /etc/hosts.allow > - The local host firewall settings, doing similar > restrictions as above > - Missing default route on the host, only some selected > routes used > - The first hop router/firewall settings > - A configuration at the site border router This is not good enough, because it assumes that all hosts have been hardened. A good security must prevent data to be sent out even is the host has a dumb setup and even if the firewall/SBR has been compromised. > Five layers of security should be enough, you'd think? > Even a couple of them might be OK. Wrong. I have seen multiple times five to six layers of firewalls just in the DMZ, plus all the host hardening that you mentioned below. Michel. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
