>> Putting a "firewall" on the machine that winds up protecting
>> itself is something of a bad idea. A firewall really wants to
>> be an entity which has all the packets in the network flowing
>> past it, where it makes determiniations about them.
>I'm going to have to disagree here - putting a firewall directly on a
>client or server system is a great line of defense. If it is set up
>properly, it is a great aid to the defenses of that system. I would
>liken a local system firewall to locks on the front door (or maybe
>better, the windows and side doors where you don't normally expect
>entry), whereas an enterprise-wide firewall is like a border check
>station at the city limits. There are benefits to the border firewall,
>but as has been pointed out, it doesn't protect from the attack within.
>And one significant issue we face is that there are VERY few products
>available (count on one hand) which can even begin to handle a data
>stream of 800+ Mbps, which is our current Internet load (we'll need 2
>Gbps within a year, I'm sure).ug:
Shouldn't firewalls be like bottle necks ie.. the one location through which
the packets must travel before they get to the Computers that are behind it.
That way they can monitor these incoming and outgoing packets to check the
sources and destinations (addresses) of these packets. This way you can
perform some type of egress filtering, and discard packets from certain
addresses and address ranges? This can prevent hacking but also prevent the
hijacking of computers for use in a Denial Of Service Attack.
It is understandable that there is overhead in checking each and every
packet, and this could potentially slow down throughput.
I don't know about the way the university does it, but I know the major
government organizations do not use software firewalls installed on each and
every separate computer. They use a bottleneck approach to protect large
numbers of computers and ensure the validity of the configuration and
firewall rules.
Wouldn't it be more logical to have one firewall for a building or floor of
a large multi departmental building , instead of purchasing 55 copies of
black ice and having 54 different firewall configurations?
Lee Duynslager
Lee Duynslager
Michigan State University
Center for Integrated Plant Systems
Information Tech. Professional
(517)432-5296
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of Doug Nelson
Sent: Thursday, January 16, 2003 4:26 PM
To: [log in to unmask]
Subject: Re: BlackICE
>
> Putting a "firewall" on the machine that winds up protecting
> itself is something of a bad idea. A firewall really wants to
> be an entity which has all the packets in the network flowing
> past it, where it makes determiniations about them.
I'm going to have to disagree here - putting a firewall directly on a
client or server system is a great line of defense. If it is set up
properly, it is a great aid to the defenses of that system. I would
liken a local system firewall to locks on the front door (or maybe
better, the windows and side doors where you don't normally expect
entry), whereas an enterprise-wide firewall is like a border check
station at the city limits. There are benefits to the border firewall,
but as has been pointed out, it doesn't protect from the attack within.
And one significant issue we face is that there are VERY few products
available (count on one hand) which can even begin to handle a data
stream of 800+ Mbps, which is our current Internet load (we'll need 2
Gbps within a year, I'm sure).
Doug Nelson [log in to unmask]
Network Manager Ph: (517) 353-2980
Computer Laboratory http://www.msu.edu/~nelson/
Michigan State University
|