[Dshield] Firewall Poll...
kmartin at pyrzqxgl.org
Sat Mar 30 18:00:44 GMT 2002
> With respect to what is more secure: Don't just look at various
> tests and such. Personally, I think a Linux/BSD firewall is probably as
> secure as it gets, IF it is setup right, which is difficult. A standard
> install with ZoneAlarm is probably more secure than a badly maintained
> Linux firewall.
Another comment: even if you are using a separate firewall unit (e.g. an
independent Linux box, or a dedicated appliance like a PIX), do not rely on
that as your only line of defense. A PIX will let you control at layers 3
and 4 (IP and TCP/UDP) what gets into your network, but once you open a
conduit to allow people into your webserver, the PIX won't do (much) to
protect it from being attacked on the designated service port. Not many
firewalls do filtering at layers 5 and above. Installing a firewall doesn't
excuse you from hardening the inside of your network. (I know, this is
difficult when you have a Windows network.)
And don't forget to do egress monitoring!
More information about the list