I have to agree. Case and point is the DoD's adoption of the Defense in Depth policy. The policies mentioned below have historically worked horribly for the DoD. In an organization with security policy like this, given enough time and persistence, an attacker will find a hole. The hole will most likely be a human error, such as failuer to install patch X or Y in a timely manner. Likely it will even be a temporary hole. However, that's all it takes. Running an organization's security infrastructure without layered defenses, ie: firewalls, IDS, security policies, security management and monitoring, end user education etc... will eventually lead to a compromise.
-----Original Message----- From: keith royster [mailto:[EMAIL PROTECTED]] Sent: Sunday, January 06, 2002 5:08 PM To: Iain McAleer Cc: Gilles Poiret; [EMAIL PROTECTED] Subject: Re: NAT, Internet access and security IMO, security should be addressed in layers, and a good firewall is an important part of your defense system. With a layered defense, you never have a single point of failure. The company you mention is playing without a net - cocky and unwise. My bet is that it is only a matter of time before they slip. -- keith royster [EMAIL PROTECTED] http://www.homebrew.com Quoting Iain McAleer <[EMAIL PROTECTED]>: > Hey guys, > > To be honest, if your system is secure a firewall is redundant. I am aware > of a company here in Perth that is part of a multi-million dollar > corporation. They have NO firewalls in place and are not implimenting NAT. > Infact they have live IP's for all their workstations. The reason they have > no firewall and can keep running with this is because their system is > secure. The biggest security risk is always going to be exploits and your > own clients idiocy. > > Regards > Iain McAleer > > ----- Original Message ----- > From: "Gilles Poiret" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, January 03, 2002 8:14 PM > Subject: Re: NAT, Internet access and security > > > > Hello, > > > > > > Most of answers I received suggest me to set up a firewall. (My router > seems to have this ability.) > > But a firewall to block what ? Excepted for the router, computers can't > be > "to > > uch" from outside of the LAN, since they have private adresses. > > > > The most important risk seems to be about worms, trojans, or java and > javascript applications... > > Some of answers talk about proxies, to prevent this kind of problems. > > I can't see what improvement of security a proxy brings generally, and in > particular in the case of worms & Co, specially with regard to a > firewall... > > If you know the answer (or a web site about that), i'm very interested ! > > > > > > What do you think about this configuration, for the firewall's router : > > - ingoing packets : SYN packets blocked (for me, useless -> private > addresses) > > - outgoing packets : every packets blocked, except those where > destination > is web, smtp, pop port. (Working context -> no irc, ....) > > Is it an useful and effective configuration ? > > > > > > Regards, > > > > -- > > Gilles Poiret > > > > > > > > Gilles Poiret a écrit, samedi 29 décembre 2001, à 16:21 : > > > Hello, > > > > > > I plan to give my company access to Internet. My ISP propose me > partial-time access (20h) on a RNIS solution, with a router, a single IP > address (dynamic), so using private addresses for computers on my LAN. > > > > > > This offer doesn't include security stuff (excepted for e-mails). > > > So I'm wondering about risk for my network. > > > For me, the risk is null : private addesses are ... private, and no IP > services are running on workstations. > > > But I may be wrong ! > > > > > > So I appreciate advices. > > > Thanks, > > > > > > and Happy New Year ! > > > > > > -- > > > Gilles POIRET > > > > > > > > > My LAN : > > > a Windows NT 4 Server, and 10 workstations with Windows 98. > > > > > > > > > > >
