Firewall Wizards mailing list archives
Re: Facts, not Fiction
From: chuck yerkes <Chuck () yerkes com>
Date: Fri, 14 Nov 1997 14:50:18 -0500 (EST)
It is claimed, but unverified, that Chris Brenton wrote:
Andreas Siegert wrote:
[...]
Unless the customer is on an extreme low budget, I alway use a multistage design. Anything else would be irresponsible in my opinion. afx
[...]
Case 1: A pure Mac shop with an ISDN connection to the Internet. There are no internal IP services. Users connect through the ISDN connection in order to access POP mail from an ISP and browse the web.
Except when someone puts telnet and accidently serves ftp with no passwords - allowing access to any machine on the mac network (that was a neat bug). Except when someone puts up a web server/ftp server. Except when someone starts using appleshare IP. These holes don't get noticed quickly. I recently ran a SATAN scan on a friend's network (with permission). We crashed 1 notes server, found free exports from their apple server (just upgraded to sys 8/appleshareIP - indeed I could mount it on my Mac over the net as could *anyone* else). But they were "just running PCs and not really using IP except as clients" so they "didn't need a firewall". I run into this time and again. Small companies, wanting "on the net." What would be the cost for them to have data taken? Not a lot, likely. Data ALTERED? Well that's a tad more expensive....
Case 2: A national bank running the latest UNISYS system with integrated NT server. System access is via IP. The bank has a T1 connection to the Internet and wishes to allow customers to administrate their bank accounts via the Internet. While these two cases are a bit extreme, it's clear that they do not require the same level of security. A multistage design for case 1 would probably be overkill. Again, this is all IMO. Insisting that a multistage design is always required so long as the customer can afford it, rings too much like a sales person who knows what they want to sell you before they even know what you need.
I won't comment on NT's ability to serve hugh volumes and reliability in a critical system - but yes, I'd expect the protection and the software to be much different. I'd be authenticating much harder and proxy the server with minimalist carefully audited software. But when mom has a cable modem and her bank data is accessible to others due to simple, easy-to-do misconfiguration, that's a problem. Firewalls give one point to focus security. The difference is that cheap places rarely secure the client machines. By giving them a solid firewall that mistake won't cost them their business. chuck
Current thread:
- Facts, not Fiction Hartmut . Fehling (Nov 07)
- Re: Facts, not Fiction Marcus J. Ranum (Nov 07)
- Re: Facts, not Fiction Darren Reed (Nov 08)
- Re: Facts, not Fiction Bennett Todd (Nov 10)
- <Possible follow-ups>
- Facts, not Fiction Andreas Siegert (Nov 12)
- Re: Facts, not Fiction Chris Brenton (Nov 13)
- Re: Facts, not Fiction Bennett Todd (Nov 14)
- Re: Facts, not Fiction Chris Brenton (Nov 14)
- Re: Facts, not Fiction chuck yerkes (Nov 14)
- Re: Facts, not Fiction Chris Brenton (Nov 15)
- Re: Facts, not Fiction Chris Brenton (Nov 13)
- Re: Facts, not Fiction Andreas Siegert (Nov 24)
- Re: Facts, not Fiction Marcus J. Ranum (Nov 07)