Firewall Wizards mailing list archives
Re: Facts, not Fiction
From: Bennett Todd <bet () rahul net>
Date: Fri, 14 Nov 1997 03:46:46 -0800
1997-11-13-06:12:01 Chris Brenton wrote:
Andreas Siegert wrote:Unless the customer is on an extreme low budget, I alway use a multistage design. Anything else would be irresponsible in my opinion.I guess I have a bit of a problem with blanket statements like this one. It insinuates that there is a "one size fits all" solution to protecting a network which is clearly not the case. A risk analysis should be performed in order to determine what level of security is actually required.
I hadn't really thought about it in as many words before, but now that you rub my nose in it, I guess I have come to endorse a bit of a ``one size fits all'' approach to firewalls. Really, it's more like a few sizes fit all, though. My decision tree looks like: - If it's a tiny shop with a trivial security policy and a near-zero budget, set 'em up with a trivial little firewall based on my OS of choice (Red Hat Linux), stripped of all standard daemons, running ipfw+fwtk. Give them the standard off-the-shelf security stance, something along the lines of ``inbound&outbound proxied email, and access to proxied WWW _only_, proxied through a cascade of squid (for performance feeding from http-gw (for applet stripping)''. Then discuss the limitations of this stance with them, and why those limits are often good, and see what needs changing. - If there's enough more money around to be able to afford it, toss a Cisco 2500-series router just outside the above fw configured as a screening router. - If we're still awash in money explain alternative commercial offerings, with their tradeoffs of support -vs- cost. - As the site gets bigger and its demands grow, increase performance if necessary by adding additional proxy hosts; accomodate more complex requests for frobbing the security policy by implementing more complex configurations of the proxying software, possibly assisted with additional hosts. My feeling is that a risk analysis is valuable, but that you only really get the benefit of it when you have a nearly-infinite budget; when funds are tight the cost of the detailed analysis comes out of the implementation budget, and you're better off giving them a known-good firewall setup, initially set for a quite conservative stance, that can be easily tweaked for minor changes from that stance. -Bennett
Current thread:
- Facts, not Fiction Hartmut . Fehling (Nov 07)
- Re: Facts, not Fiction Marcus J. Ranum (Nov 07)
- Re: Facts, not Fiction Darren Reed (Nov 08)
- Re: Facts, not Fiction Bennett Todd (Nov 10)
- <Possible follow-ups>
- Facts, not Fiction Andreas Siegert (Nov 12)
- Re: Facts, not Fiction Chris Brenton (Nov 13)
- Re: Facts, not Fiction Bennett Todd (Nov 14)
- Re: Facts, not Fiction Chris Brenton (Nov 14)
- Re: Facts, not Fiction chuck yerkes (Nov 14)
- Re: Facts, not Fiction Chris Brenton (Nov 15)
- Re: Facts, not Fiction Chris Brenton (Nov 13)
- Re: Facts, not Fiction Andreas Siegert (Nov 24)
- Re: Facts, not Fiction Marcus J. Ranum (Nov 07)