> > Putting a "firewall" on the machine that winds up protecting > itself is something of a bad idea. A firewall really wants to > be an entity which has all the packets in the network flowing > past it, where it makes determiniations about them. I'm going to have to disagree here - putting a firewall directly on a client or server system is a great line of defense. If it is set up properly, it is a great aid to the defenses of that system. I would liken a local system firewall to locks on the front door (or maybe better, the windows and side doors where you don't normally expect entry), whereas an enterprise-wide firewall is like a border check station at the city limits. There are benefits to the border firewall, but as has been pointed out, it doesn't protect from the attack within. And one significant issue we face is that there are VERY few products available (count on one hand) which can even begin to handle a data stream of 800+ Mbps, which is our current Internet load (we'll need 2 Gbps within a year, I'm sure). Doug Nelson [log in to unmask] Network Manager Ph: (517) 353-2980 Computer Laboratory http://www.msu.edu/~nelson/ Michigan State University