Dan Swartzendruber wrote:
At 09:07 PM 9/23/2005, you wrote:
Oh, I understood you.
In that case, I guess we'll have to agree to disagree. This platform
deliberately has the capability of running various services on it
(unlike m0n0wall.) If someone has the CPU power and RAM to run things
like squid and clamav already, I really fail to see how making that
service available to the inside MTA causes a realistic chance of DoS
unless the MTA is grossly misconfigured.
both of you arguing are right and wrong. :)
In theory, is this a great idea? No. If you have the resources, it's
certainly best to segregate services appropriately. At work, I would
never integrate AV and the firewall, or IDS/IPS, or any of the many
other things that pfsense either allows now or will allow in the
future. But I do side jobs for companies whose annual revenues are less
than our IT budget at work, and the reality is in those circumstances,
if it's going to be done at all it will have to be integrated. The
alternative is to not have it at all (whatever "it" might be that you're
running on your firewall that you wouldn't normally want to run on your
firewall).
At a company with 20 or less users (likely > 20 in many scenarios), you
can't segregate things appropriately because you'd end up with an
unaffordable ratio of servers to users. In some of those environments
with 3-5 users, you'd end up with more servers than users. That's
obviously not feasible to setup and maintain in most every environment.
With things like this, there is no clear cut "do it" or "don't do it" in
the real world. It depends on the level of risk inherent in the given
environment, the risk tolerance in the environment, the cost of the
associated risks, how much downtime costs, and the amount of money the
company can afford to spend on IT. If, for example, you get flooded
with viruses and it takes down your firewall, well I'd rather see that
than have the viruses happily passed along. <insert similar scenario
for any other service running on the firewall that shouldn't typically
run on a firewall> Usually better to have it in a place that isn't
ideal than to not have it at all.
-cmb
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
