[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: simple, yet somewhat more secure than nothing [was: Re: simple, yet
From:       "shawn . moyer" <shawn () net-connect ! net>
Date:       2001-01-28 1:04:54
[Download RAW message or body]

"Ralph M. Churchill" wrote:

> I hope that no one mistook my inclusion of the word "secure" in the
> subject to mean "100% secure". I'm not *quite* that stupid ;) I just
> wanted to start a discussion on the aspects of firewalling a small
> network and in that regard, I think we were successful.

My response was not really to your post, but rather to the responses! 

If one gets stuck in mental gymnastics about the possibilities and gets
bogged down in all the various scenarios that might play out due to this
or that variable, one can get pretty far off track and forget that the
first purpose (after securing a network) is to *use* a network for
stuff... :) In my mind, you want the best combination of security and
functionality. 

Besides, firewalls are only one part of the overall picture... Network
and host IDS, in combination with periodic auditing are just as big a
component of good security practice as what packets you allow or
disallow. In fact, [ flames > /dev/null ] I would say that agonizing too
much over creating an "airtight" firewall policy might even give one a
false sense of safety. 

Ralph, I think your config is prudent, reasonable, and just fine. Just
having a default policy of deny at all brings it head and shoulders
above many corporate firewall policies I've seen. :)




--shawn
 

-- 
s h a w n   m o y e r
shawn@net-connect.net

[prev in list] [next in list] [prev in thread] [next in thread]