From owner-freebsd-security Mon Nov 26 10:20:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from gull.prod.itd.earthlink.net (gull.mail.pas.earthlink.net [207.217.120.84]) by hub.freebsd.org (Postfix) with ESMTP id ABE9D37B416 for ; Mon, 26 Nov 2001 10:20:23 -0800 (PST) Received: from user-38lc2nf.dialup.mindspring.com ([209.86.10.239] helo=gohan.cjclark.org) by gull.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 168QMd-0002Py-00; Mon, 26 Nov 2001 10:20:21 -0800 Received: (from cjc@localhost) by gohan.cjclark.org (8.11.6/8.11.1) id fAQ8JVQ00357; Mon, 26 Nov 2001 00:19:31 -0800 (PST) (envelope-from cjc) Date: Mon, 26 Nov 2001 00:19:31 -0800 From: "Crist J. Clark" To: Andre Hall Cc: myraq@mgm51.com, G Brehm , security@FreeBSD.ORG Subject: Re: Best security topology for FreeBSD Message-ID: <20011126001931.D222@gohan.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20011125013812.9839.qmail@web10106.mail.yahoo.com> <200111242124560932.023F3386@home.24cl.com> <002801c17564$1b5e2a60$060aa8c0@pcgameauthority.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002801c17564$1b5e2a60$060aa8c0@pcgameauthority.com>; from ahall@pcgameauthority.com on Sat, Nov 24, 2001 at 07:48:55PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Nov 24, 2001 at 07:48:55PM -0800, Andre Hall wrote: [snip] > There is a reason why most security industry has > stuck with the approach, Because it is cheaper and easier to do as a "drop in" solution. > it is practical It is actually harder to properly configure. However, the fact many vendors cater to the market has made the "knowledge base" on the design fairly deep. > and a fool proof It is far, far from fool proof. Security is never fool proof. > way of guarding > internal assets while provided the necessary exposures to services others > need to access. I do agree that for small sites it may not make sense to devote the resources to the stronger, layered design. Security is never absolute. It is always balanced against cost. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message