Firewalls help a lot, but they are not a total solution of course They are much more problematic with sites that have high a lot of traffic. A friend who works for Sun told me that China's national intranet required 3 E10k Sunfires to meet their firewall needs.
PS: sorry all but I pressed the enter key accidentally before I finished my prior email. --- Stewart Stremler <[EMAIL PROTECTED]> wrote: > begin quoting Tracy R Reed as of Sun, May 21, 2006 > at 03:59:53PM -0700: > > Andrew Lentvorski wrote: > > >Anyhow, the longer I am at this, the less > convinced I am about the > > >benefit of "default deny" in an end-user system. > Even behind all these > > >"secure NATs", botnets thrive anyhow. But that's > a different discussion. > > > > I'm with you on this one. Firewalls in general > have been way oversold. > > As in 'hyped as a panacea'? Yes. > > But then, so has the network itself. Agents. The > web. P2P. Virus scanners. > > Don't look to the salesmen for a realistic > evaluation. > > > We set up a firewall and the first thing we always > do is open/forward > > the interesting ports to our internal > applications. Ideally you want a > > firewall and host-based security both but given > the choice between a > > firewall only or host-based security only I would > take host-based. The > > Ideally, you want a DMZ with proxies. _Ideally_, no > packets on the > internal network *ever* make it out to the Internet > without first going > through a firewalling proxy, and vice versa. > > That, however, is expensive and considered paranoid. > So people don't > do it. They buy the turnkey panaceas. > > > reason being the first time someone brings an > infected laptop from home > > and plugs it in behind your firewall your whole > network is owned unless > > you have host based security. > > Don't bash firewalls for piss-poor network design. > They're only an > element to be used in your network design, not the > sole component. > > > But a single > firewall is a lot easier to > > manage than actually securing all of your > individual hosts so hardly > > anyone does this in practice so we end up with > huge botnets. > > That's people selling firewalls as a panacea. It's > not a good idea > to make your network crunchy on the outside and > chewey on the inside. > > Of course, if you go solely with host-based security > on account of > your users being idiots, why do you think they'll > maintain good > discipline when you dump the firewall? > > Let's say you dump the firewall in favor of > host-based security. It > is difficult to configure the host-based security to > let you print > to the network printer, so you turn it _off_ to > print. If you're > printing a bunch of stuff, you'll turn it off and > leave it off, and > when you're done, you _might_ rememeber to turn it > back on. > > (Real-life example. Don't tell me people don't do > this sort of thing.) > > How long can an unprotected machine be on the > Internet before it gets > compromised, assuming it has no protection in place? > One minute? Two? > > I'll take > crunchy-on-the-outside-chewey-on-the-inside any day > of the > week over > crunchy-for-all-but-an-hour-a-day-when-I-drop-my-pants. > If > I'm going to blow holes in my firewall so that > "stuff will work", I'm > going to do equally stupid things if I dispense with > the firewall. So > it's not a fair comparison to whine about how > firewalls don't protect > our networks from stupid network administrators and > malicious users. > > -- > _ |\_ > \| > > > -- > [email protected] > http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list > -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
