From owner-freebsd-questions Sun Mar 4 16:48:17 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [206.29.169.15]) by hub.freebsd.org (Postfix) with ESMTP id 812A137B718 for ; Sun, 4 Mar 2001 16:48:13 -0800 (PST) (envelope-from tedm@toybox.placo.com) Received: from tedm.placo.com (nat-rtr.freebsd-corp-net-guide.com [206.29.168.154]) by mail.freebsd-corp-net-guide.com (8.11.1/8.11.1) with SMTP id f250m9N19875; Sun, 4 Mar 2001 16:48:10 -0800 (PST) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Mike Meyer" Cc: Subject: RE: FreeBSD Firewall vs. Black Ice Date: Sun, 4 Mar 2001 16:48:08 -0800 Message-ID: <005401c0a50d$f25b4700$1401a8c0@tedm.placo.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 In-Reply-To: <15010.26348.659989.455852@guru.mired.org> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG >-----Original Message----- >From: owner-freebsd-questions@FreeBSD.ORG >[mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Mike Meyer > >This is why you run two firewalls. One does little more than your >basic $100 Linksys box, and sits between your internal network and the >rest of the world. Your service boxes sit outside of it, in the >dmz. The second firewall sits between those and the internet >proper. No connections go from the outside world to the internal >network (and very little from the dmz to the internal network). You Not always possible. >then set the world up so that the service boxes are *generated* from >data on the internal box. Not backed up, but built. When one of the >goats gets compromised, you close the hole in the build data, install >a new OS and rebuilt from the internal data. > Setting up a DMZ and dual firewalls is a component of effective security if your going to be offering services, but you can't get away from the complexity. A DMZ/dual firewall situation is not simple, which is my point - you can't have a simple/easy firewall without giving something up. If you don't want to pay for it, either in terms of investing your time to do it right, or investing your money to have someone do it for you, then a dual firewall situation isn't going to help that. >> >Personally I'ld rather err on the safe side, but MicroSoft has shown >> >by its continued existence that the world thinks otherwise. IOW MS >> >grocks the world, sad as it may be. >> Remember that Microsoft products are designed for internal corporate use, >> not external Internet server production use. Internal corporate networks >> are generally more friendly than the public Internet. > >That isn't sufficient explanation for their continuing to ship LookOut >with the virus-enabling - uh, script-enabling - tools turned on by >default. Unless you disallow external mail, you get as much exposure >to mail problems inside as you do outside. > Remember Microsoft's world view of e-mail. In their frame of reference, if you want to build an Enterprise mail system, you DON'T run Outlook Express, and on your regular Outlook clients, you run Exchange Connector going to an Exchange server. Microsoft doesen't themselves produce virus-filtering software, and as such one of their standing recommendations when putting in an Exchange server is to load anti-virus on the Exchange server if your going to do Internet mail. From their view, people running Outlook or Outlook Express with the Internet Mail connector are doing it entirely at their own risk, and are NOT running an Enterprise mail system. A mail system like what we install - where a BSD mailserver is used with Outlook Express clients, is something that they are either actively against, or at the least, doing nothing to help come about. It's a simple matter to patch Sendmail to filter .vbs and .scr attachment files, at the ISP I work at we have been doing this for a year and a half, and it's effectively protected our customers from all of the script viruses that have made the rounds. When designing a firewall I frankly don't consider virus protection to be a valid part of it. Why? Because some of the most damaging viruses aren't introduced via the network, but through infected floppies that originate from home or elsewhere. Any organization that's serious about virus protection should be running anti-virus right on the desktops, and if they are running the current Norton products on Win98/ME/2K, those virus products can be installed to filter incoming and outgoing Internet mail. Anyway, I agree with you that script processing shouldn't be shipped enabled from the factory, but that's because I want to use BSD mailservers with free Microsoft e-mail clients. I do recognize, however, that since enabling script processing on the Microsoft mail clients isn't a problem if using Microsoft mailserver products, that Microsoft has a perfectly valid point of view as to why there's not a problem with shipping mail clients with script processing enabled. I'm also recognizing that when I set up a mailsystem with Microsoft mail clients and a BSD server, that Microsoft isn't being compensated for their effort spent developing the mail client software. So, if I'm going to take advantage of the free Microsoft mail clients without compensating them, I had better not complain about their deficiencies. Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message