[Dshield] Back to Multiple Firewalls

Stephane Grobety security at admin.fulgan.com
Mon Mar 18 17:18:03 GMT 2002


RR> O.K., that's one for and one against Multiple Firewalls.

Well, I personally like to use two different layers: on border
firewall, and one workstation firewall. Add a good IDS and you're
packed :)

RR> XP does create nice
RR> black holes and acknowledge the outbound problem - but ZA takes care of
RR> that.

Hum. Might I ask why you want to control outgoing connection ?? There
are valid reasons to do so (like filtering anything that goes to the
double-click domain) but it seems out of focus for a personal firewall
(if you have been trojanized, it's already too late).

RR> It passed four independent audits and Gibson's Leak Test.If it ain't
RR> broke - don't fix it they say...just wondered XP or ZA augmented each
RR> other - no effect, or possible risk effect with both.

Well, I personally see the "more might not always be better" effect.
If you have ONE effective firewall, adding a second one will, most
likely, just double the configuration/maintenance efforts which, in
turns, will reduce actual security. If you add to that the increased
difficulty in maintaining logs from two different sources (no syslog
here)...


RR> (I doubt ZA could be
RR> augmented). A paid SecureSafe audit described a low risk "tracer route"
RR> vulnerability (I doubt any risk) but don't see a way around that without
RR> using a proxy or browser like Opera.

Could you elaborate ?? I couldn't fine any info on that SecureSafe
thingy except an encryption program and "low risk tracer route"
doesn't ring anything. Did you mean "trace route" ?? If that's the
problem, you could just disable ICMP replies...

RR> Since I have a tie going - need one
RR> more vote.  Thanks.


-- 
Best regards,
 Stephane                            mailto:security at admin.fulgan.com




More information about the list mailing list