From owner-freebsd-security Mon Nov 26 11:12:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from athena.comsats.net.pk (athena.comsats.net.pk [210.56.4.8]) by hub.freebsd.org (Postfix) with ESMTP id 4E08B37B405 for ; Mon, 26 Nov 2001 11:12:19 -0800 (PST) Received: from khi.comsats.net.pk (localhost.localdomain [127.0.0.1]) by athena.comsats.net.pk (8.11.2/8.11.2) with ESMTP id fAQJIGG10274 for ; Tue, 27 Nov 2001 00:18:16 +0500 Received: from ahsanalikh (ppp7-144khi.comsats.net.pk [210.56.7.144] (may be forged)) by khi.comsats.net.pk (8.11.4/8.11.4) with SMTP id fAQJAhi28469 for ; Tue, 27 Nov 2001 00:10:44 +0500 (PKT) Message-ID: <001901c057dc$c69b9300$0100a8c0@ahsanalikh> From: "Ahsan Ali" To: References: <20011125013812.9839.qmail@web10106.mail.yahoo.com> <200111242124560932.023F3386@home.24cl.com> <002801c17564$1b5e2a60$060aa8c0@pcgameauthority.com> <20011126001931.D222@gohan.cjclark.org> Subject: Re: Best security topology for FreeBSD Date: Mon, 27 Nov 2000 00:12:06 +0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What would the ideal security model for an ISP with a lot of sites and services hosted be? Clients coming in through access servers and additional routers/router interfaces. I'd look at number two but apart from the main authentication servers, there isn't much that goes at the extreme backend, is there? -Ahsan ----- Original Message ----- From: "Crist J. Clark" To: "Andre Hall" Cc: ; "G Brehm" ; Sent: Monday, November 26, 2001 1:19 PM Subject: Re: Best security topology for FreeBSD > On Sat, Nov 24, 2001 at 07:48:55PM -0800, Andre Hall wrote: > [snip] > > > There is a reason why most security industry has > > stuck with the approach, > > Because it is cheaper and easier to do as a "drop in" solution. > > > it is practical > > It is actually harder to properly configure. However, the fact many > vendors cater to the market has made the "knowledge base" on the > design fairly deep. > > > and a fool proof > > It is far, far from fool proof. Security is never fool proof. > > > way of guarding > > internal assets while provided the necessary exposures to services others > > need to access. > > I do agree that for small sites it may not make sense to devote the > resources to the stronger, layered design. Security is never > absolute. It is always balanced against cost. > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message