Date: Wed, 01 May 1996 10:10:38 +0930 From: Garth Kidd <garth@dogbert.systems.sa.gov.au> To: newton@communica.com.au (Mark Newton), kristyn@gnu.ai.mit.edu (Kristyn Fayette) Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD & firewalls Message-ID: <960501101757.ZM2871@jolt.systems.sa.gov.au> In-Reply-To: newton@communica.com.au (Mark Newton) "Re: FreeBSD & firewalls" (Apr 30, 10:39) References: <9604300109.AA15421@communica.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 30, 10:39, Mark Newton wrote:
> Point 2: Be aware that a single computer doesn't make a very good
> firewall! Simply plonking a UNIX box onto the network between you and
> your ISP is not going to deliver anywhere near what *I* would consider
> acceptable security (what you would consider acceptable may
> legitimately differ, though)
>
> Just my (professional) opinion...
I suspect it's reaching the point where the resources necessary to maintain
comprehensive network security are beyond the reach of many sites. Defense
in depth with DMZ-style twin router, bastion host and inner peer
configurations with dedicated logging hosts and personnel available 24/365
to handle detected intrusion attempts is _expensive_. [*]
Anybody with a permament connection to the Internet should *expect* to have
their firewall breached, and should plan accordingly. Particularly, even
though you can't expect to prevent all intrusion attempts, you need to know
when one is occurring or, worse, has succeeded, you need someone to clean
up the damage and try to plug whatever hole was exploited, and you need
regular backups that are stored for quite a while in case someone sneaks in
and you don't notice it for a month.
Mark, I expect I'm preaching to the converted in your case :)
Prediction: some major ISPs will begin installing firewalls to protect
their customers. The cost of maintaining a comprehensive firewall may well
be bearable if spread amongst a few hundred customers. Perhaps firewalling
will be an optional extra, suitably priced, so those customers who _insist_
on having "talk" or that don't believe their site will be targeted can be
left out in the cold on their demand.
Some US-based single-box firewall vendors offer remote monitoring services.
Just plug in a modem and leave a connection open to your vendor, and
they'll (allegedly) keep an eye on things for you. I'm not convinced, but
it's certainly better than the same box with nobody watching.
Something I'd like to see, though, is some serious discussion of the
one-box problem for those that are home-brewing their firewall boxen. What
should they do to ensure that they can at least *detect* a successful
intrusion?
*: Relying on a single host to protect your network is one extreme [**].
This configuration is, perhaps, the other.
**: I lied. Connecting all of your systems to the Internet and hoping
that nobody will find your site interesting enough to hack is the
extreme.
--
garth@dogbert.systems.sa.gov.au | Garth Kidd
+61-8-207-7740 (voice) | Network Services Branch
+61-8-207-7860 (fax) | EDS
| Adelaide, AUSTRALIA
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?960501101757.ZM2871>