[Dshield] Firewall Poll...

Kelly Martin kmartin at pyrzqxgl.org
Sat Mar 30 18:00:44 GMT 2002


> With respect to what is more secure: Don't just look at various
> tests and such. Personally, I think a Linux/BSD firewall is probably as
> secure as it gets, IF it is setup right, which is difficult. A standard
> install with ZoneAlarm is probably more secure than a badly maintained
> Linux firewall.

Another comment: even if you are using a separate firewall unit (e.g. an
independent Linux box, or a dedicated appliance like a PIX), do not rely on
that as your only line of defense.  A PIX will let you control at layers 3
and 4 (IP and TCP/UDP) what gets into your network, but once you open a
conduit to allow people into your webserver, the PIX won't do (much) to
protect it from being attacked on the designated service port.  Not many
firewalls do filtering at layers 5 and above.  Installing a firewall doesn't
excuse you from hardening the inside of your network.  (I know, this is
difficult when you have a Windows network.)

And don't forget to do egress monitoring!

Kelly




More information about the list mailing list