September 5th, 2003, 05:21 PM
Is that a firewall on your perimeter or just some Swiss cheese?
I feel badly for Swiss cheese. Thanks to a few holes, it will forever be likened to lousy security. These days, perhaps the best application for that metaphor is to your firewall. While firewalls (the non-personal ones) keep the riffraff out of your network, they can no longer be counted on to secure the perimeter of business or home networks the way they once did.
September 5th, 2003, 08:49 PM
The author of that article needs to do a little more research.
Although firewalls are no means an end all security solution, and frequently not needed for security at all, the reasons he presents are less than accurate.
True if you are running a web server or smtp server you need to have ports open in your firewall, but really, who with any knowledge of security at all runs a simple port filtering firewall? Most now use application proxies and strong typing to match valid against invalid data, this of course doesn't work as well with encrypted connections, but these are rarely the sites of attack because it is more difficult to hide the source system.
There are systems now in place by high security companies/government applications that sign all traffic and then if an element of traffic is determined to violate a set of rules on a mirrored bastion host that signature is flagged and filtered and all systems receiving the original signature are isolated, until they may be repaired.
Simpler solutions like FWTK, Guantlet, and Sidewinder all fly in the face of the author's points.
End answer, use a firewall to protect your network, use trusted systems technology to protect the servers within that network.
September 6th, 2003, 01:25 AM
There is one part of that article that I agree with (110 %).
IM clients that use port 80 to connect. (Can you say MSN Messenger ?)
A little imagination & script kiddies are beyond the firewall.
PS: good comments "catch"
September 10th, 2003, 07:46 AM
I'd be curious to see where u work catch - interesting concept. I have seen networks where the servers (web, mail etc.) were set in the DMZ between either routers or firewalls (or both) where the outside was port restricting and routing (i.e. all requrests to port 80 go to the web server adn so on) then the inside router/firewall was where the serious amount to traffic got dropped and everything else was NAT'd out so the meat and taters of the network was obscured (bad idea) and unroutable.
Maybe my concepts of security are becoming dated....
Where\'s the ka-booom?
There was supposed to be an earth-shattering ka-booom!
September 10th, 2003, 10:18 AM
Funny you should mention that, I quit my job monday.
Screened-subnets are still quite popular and effective, however difficulties arise when internal client systems need to access the same data sources as external client systems. This creates a path of potential compromise and the migration to a more secure server system is indicated as the servers are no longer isolated from internal resources. If you are going to be using trusted systems anyhow, why not just save them money and stick them on the other side of the firewall and internal clients can treat them as external hosts. You will save money in hardware, policy development, and life cycle resources as a result of the simpler system. You of course still incure the additional costs of the TOSes, but those would be assumed in either situation.