 |
 |
> > Well, I agree that a host firewall is a good way to stop an > internal attack, but I wonder how important that is, compared > to all the other attacks that go on? An interesting question. > > My problem with having a firewall on an unsecure platform > like Windows is that, using your analogy, I worry very much > about vandals not going through the door, but around it. If > someone finds a way to co opt the TCP stack, it doesn't > seem to me that such a firewall is going to be much good. > I also wonder of other methods to mess with a process, > disabling it (what happens then? Is it passive, or does > it not let anything though, breaking net connectivity?). > > But yes, it *will* prevent certain kinds of attacks. Maybe > even 98% of them; certainly the stupid script kiddie attacks > that are prevelant these days. > > When I think of border fiewwalls, I think of departmental > entities, not campus-wide. Yes, I can readily see how > hard it is to deal with emense data streams, but besides > that, one common firewall imposes restrictions that some > units need but perhaps might impede others. I don't > think a one size fits all firewall solution works except > for global policy issues. I'd say that the firewall on the server is *very* important. Going back to your earlier post, it's another layer of the onion. As far as the TCP stack goes, the firewall software normally fits in at a fairly low (early) level, so it can block many of the attacks aimed at the TCP stack. I would be more concerned about the security of the ports and addresses that are allowed through the firewall, once the firewall is in place. For a good, concrete example, a first cut at a firewall ruleset might be to disallow the Microsoft ports (135-139, 445) from any off-campus addresses, or perhaps any address outside of your building. You can put in some exceptions for key users or administrators, and still block a large variety of potential attacks. Of course a better ruleset blocks everything *but* the desired external ports and addresses. Doug Nelson [log in to unmask] Network Manager Ph: (517) 353-2980 Computer Laboratory http://www.msu.edu/~nelson/ Michigan State University