Andrew Lentvorski wrote:
Anyhow, the longer I am at this, the less convinced I am about the benefit of "default deny" in an end-user system. Even behind all these "secure NATs", botnets thrive anyhow. But that's a different discussion.
I'm with you on this one. Firewalls in general have been way oversold. We set up a firewall and the first thing we always do is open/forward the interesting ports to our internal applications. Ideally you want a firewall and host-based security both but given the choice between a firewall only or host-based security only I would take host-based. The reason being the first time someone brings an infected laptop from home and plugs it in behind your firewall your whole network is owned unless you have host based security. But a single firewall is a lot easier to manage than actually securing all of your individual hosts so hardly anyone does this in practice so we end up with huge botnets.
-- Tracy R Reed http://ultraviolet.org -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
