 |
 |
> Shouldn't firewalls be like bottle necks ie.. the one location through which > the packets must travel before they get to the Computers that are behind it. > That way they can monitor these incoming and outgoing packets to check the > sources and destinations (addresses) of these packets. This way you can > perform some type of egress filtering, and discard packets from certain > addresses and address ranges? This can prevent hacking but also prevent the > hijacking of computers for use in a Denial Of Service Attack. > > It is understandable that there is overhead in checking each and every > packet, and this could potentially slow down throughput. > > I don't know about the way the university does it, but I know the major > government organizations do not use software firewalls installed on each and > every separate computer. They use a bottleneck approach to protect large > numbers of computers and ensure the validity of the configuration and > firewall rules. > > Wouldn't it be more logical to have one firewall for a building or floor of > a large multi departmental building , instead of purchasing 55 copies of > black ice and having 54 different firewall configurations? Why not do both? But also tell me how the one central firewall is going to avoid having 54 separate pieces to its ruleset? And besides, I think you'll find that you don't really have 54 unique configurations on your 50+ systems. Doug Nelson [log in to unmask] Network Manager Ph: (517) 353-2980 Computer Laboratory http://www.msu.edu/~nelson/ Michigan State University