North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Firewall opinions wanted please

  • From: Valdis.Kletnieks
  • Date: Tue Mar 16 21:40:56 2004

On Tue, 16 Mar 2004 14:27:16 PST, Nicole <[email protected]>  said:

>  From what I have heard a proxy firewall would be best? 

I'll go out on a limb here and say that the actual make and model of the
firewall don't matter anywhere *near* as much as a proper understanding on the
client's part of what a firewall can and can't do.

It can let you know when somebody's poking at your site.  But it can't do it on
its own, somebody *will* have to read the logs (even if you use a good
log-filtering package to trim out all the true noise).

It can't automagically secure your site.  All it takes is *one* laptop or VPN
connection to the "inside" from a compromised machine and you're history.

The most successful firewall installs I've encountered have invariably
considered the firewall not as a "prevention device" but as an "IDS with a bad
attitude". A firewall is *never* an acceptable substitute for proper end-host
security procedures - the end host *must* be fully prepared to deal with a
total breach of the firewall (remember - a firewall will never stop a
disgruntled employee).

Attachment: pgp00019.pgp
Description: PGP signature