Re: Firewall opinions wanted please

["Alexei Roudnev" <alex () relcom net>]

> And I think you have hit it right on the head...another line of defense.
> Everything I've ever read about security (network or otherwise) suggests
> that a layered approach increases effectiveness.  I certainly don't trust
a
> firewall appliance as my only security device, so I also do prudent things
> like disable ports and applications that are not in use on my network and
> enforce authentication and authorization for access to legitimate
services.

Unfortunately, it decreases it.

If I turn off file sharing on Windows server, I'll increase security but
complicate support (in some cases).
If I run ids system, I spend time, verifying and approving changes done by
maintaineers. And so on.

So, it is very important to have a strong FIRST line of defense (inbound
firewalls) and last line (host IDS); it allows to bring little more
efficiency by keeping convenient (but not very secure) protocols inside your
internal network. Else, you end up in full paranoya.