>> Putting a "firewall" on the machine that winds up protecting >> itself is something of a bad idea. A firewall really wants to >> be an entity which has all the packets in the network flowing >> past it, where it makes determiniations about them. >I'm going to have to disagree here - putting a firewall directly on a >client or server system is a great line of defense. If it is set up >properly, it is a great aid to the defenses of that system. I would >liken a local system firewall to locks on the front door (or maybe >better, the windows and side doors where you don't normally expect >entry), whereas an enterprise-wide firewall is like a border check >station at the city limits. There are benefits to the border firewall, >but as has been pointed out, it doesn't protect from the attack within. >And one significant issue we face is that there are VERY few products >available (count on one hand) which can even begin to handle a data >stream of 800+ Mbps, which is our current Internet load (we'll need 2 >Gbps within a year, I'm sure).ug: Shouldn't firewalls be like bottle necks ie.. the one location through which the packets must travel before they get to the Computers that are behind it. That way they can monitor these incoming and outgoing packets to check the sources and destinations (addresses) of these packets. This way you can perform some type of egress filtering, and discard packets from certain addresses and address ranges? This can prevent hacking but also prevent the hijacking of computers for use in a Denial Of Service Attack. It is understandable that there is overhead in checking each and every packet, and this could potentially slow down throughput. I don't know about the way the university does it, but I know the major government organizations do not use software firewalls installed on each and every separate computer. They use a bottleneck approach to protect large numbers of computers and ensure the validity of the configuration and firewall rules. Wouldn't it be more logical to have one firewall for a building or floor of a large multi departmental building , instead of purchasing 55 copies of black ice and having 54 different firewall configurations? Lee Duynslager Lee Duynslager Michigan State University Center for Integrated Plant Systems Information Tech. Professional (517)432-5296 -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Doug Nelson Sent: Thursday, January 16, 2003 4:26 PM To: [log in to unmask] Subject: Re: BlackICE > > Putting a "firewall" on the machine that winds up protecting > itself is something of a bad idea. A firewall really wants to > be an entity which has all the packets in the network flowing > past it, where it makes determiniations about them. I'm going to have to disagree here - putting a firewall directly on a client or server system is a great line of defense. If it is set up properly, it is a great aid to the defenses of that system. I would liken a local system firewall to locks on the front door (or maybe better, the windows and side doors where you don't normally expect entry), whereas an enterprise-wide firewall is like a border check station at the city limits. There are benefits to the border firewall, but as has been pointed out, it doesn't protect from the attack within. And one significant issue we face is that there are VERY few products available (count on one hand) which can even begin to handle a data stream of 800+ Mbps, which is our current Internet load (we'll need 2 Gbps within a year, I'm sure). Doug Nelson [log in to unmask] Network Manager Ph: (517) 353-2980 Computer Laboratory http://www.msu.edu/~nelson/ Michigan State University