Both are important. An IIS box with no patches installed behind the greatest firewall in the world would still be vulnerable to code red, nimda, unicode and all that good stuff if port 80 was getting to it. A completely patched server with no firewall would be available to be compromised on all ports, it would happen one way or another.
Since patches are free and most firewalls are not, in a pinch a cheap firewall such as linksys or a linux solution with a patched server behind it would be workable. But it isnt just patches that are important. Following all the normal good practices regarding unneeded services, strong passwords and physical security and the like round out the package. -----Original Message----- From: "Omar Koudsi" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Date: Tue, 8 Jan 2002 02:29:43 +0200 Subject: Hardening VS firewalling ? > OK, I know this is more of a theoretical debate, because in reality we > are able and should do BOTH. > > > But according to you, which is more important? Paying attention to > having great firewall with a great ACL more than hardening and patching > the systems? Or not have to worry about the firewall or having one at > all and concentrate on applying best practices to OS/APPS and making > sure the OS/APPS is up date on patches? > > In the unlikely event that you had to choose one over the other (or > some > people would argue that this is a reality since time is limited and you > can really concentrate on one) , which one would it be and why? > > Regards, > > > ----------- > Omar Koudsi > IT Architect > Network Security Center > Special Systems Company > http://security.sscjo.com > [EMAIL PROTECTED] > Tel: (9626) 5664221 > Fax: (9626) 5681557 >
