Well, I agree that a host firewall is a good way to stop an internal attack, but I wonder how important that is, compared to all the other attacks that go on? An interesting question. My problem with having a firewall on an unsecure platform like Windows is that, using your analogy, I worry very much about vandals not going through the door, but around it. If someone finds a way to co opt the TCP stack, it doesn't seem to me that such a firewall is going to be much good. I also wonder of other methods to mess with a process, disabling it (what happens then? Is it passive, or does it not let anything though, breaking net connectivity?). But yes, it *will* prevent certain kinds of attacks. Maybe even 98% of them; certainly the stupid script kiddie attacks that are prevelant these days. When I think of border fiewwalls, I think of departmental entities, not campus-wide. Yes, I can readily see how hard it is to deal with emense data streams, but besides that, one common firewall imposes restrictions that some units need but perhaps might impede others. I don't think a one size fits all firewall solution works except for global policy issues. --STeve Andre' On Thursday 16 January 2003 16:26, Doug Nelson wrote: > > Putting a "firewall" on the machine that winds up protecting > > itself is something of a bad idea. A firewall really wants to > > be an entity which has all the packets in the network flowing > > past it, where it makes determiniations about them. > > I'm going to have to disagree here - putting a firewall directly on a > client or server system is a great line of defense. If it is set up > properly, it is a great aid to the defenses of that system. I would > liken a local system firewall to locks on the front door (or maybe > better, the windows and side doors where you don't normally expect > entry), whereas an enterprise-wide firewall is like a border check > station at the city limits. There are benefits to the border firewall, > but as has been pointed out, it doesn't protect from the attack within. > And one significant issue we face is that there are VERY few products > available (count on one hand) which can even begin to handle a data > stream of 800+ Mbps, which is our current Internet load (we'll need 2 > Gbps within a year, I'm sure). > > > Doug Nelson [log in to unmask] > Network Manager Ph: (517) 353-2980 > Computer Laboratory http://www.msu.edu/~nelson/ > Michigan State University