Well, I agree that a host firewall is a good way to stop an
internal attack, but I wonder how important that is, compared
to all the other attacks that go on? An interesting question.
My problem with having a firewall on an unsecure platform
like Windows is that, using your analogy, I worry very much
about vandals not going through the door, but around it. If
someone finds a way to co opt the TCP stack, it doesn't
seem to me that such a firewall is going to be much good.
I also wonder of other methods to mess with a process,
disabling it (what happens then? Is it passive, or does
it not let anything though, breaking net connectivity?).
But yes, it *will* prevent certain kinds of attacks. Maybe
even 98% of them; certainly the stupid script kiddie attacks
that are prevelant these days.
When I think of border fiewwalls, I think of departmental
entities, not campus-wide. Yes, I can readily see how
hard it is to deal with emense data streams, but besides
that, one common firewall imposes restrictions that some
units need but perhaps might impede others. I don't
think a one size fits all firewall solution works except
for global policy issues.
--STeve Andre'
On Thursday 16 January 2003 16:26, Doug Nelson wrote:
> > Putting a "firewall" on the machine that winds up protecting
> > itself is something of a bad idea. A firewall really wants to
> > be an entity which has all the packets in the network flowing
> > past it, where it makes determiniations about them.
>
> I'm going to have to disagree here - putting a firewall directly on a
> client or server system is a great line of defense. If it is set up
> properly, it is a great aid to the defenses of that system. I would
> liken a local system firewall to locks on the front door (or maybe
> better, the windows and side doors where you don't normally expect
> entry), whereas an enterprise-wide firewall is like a border check
> station at the city limits. There are benefits to the border firewall,
> but as has been pointed out, it doesn't protect from the attack within.
> And one significant issue we face is that there are VERY few products
> available (count on one hand) which can even begin to handle a data
> stream of 800+ Mbps, which is our current Internet load (we'll need 2
> Gbps within a year, I'm sure).
>
>
> Doug Nelson [log in to unmask]
> Network Manager Ph: (517) 353-2980
> Computer Laboratory http://www.msu.edu/~nelson/
> Michigan State University
|
