Date: Mon, 5 Mar 2001 15:53:32 -0600 From: Mike Meyer <mwm@mired.org> To: "Ted Mittelstaedt" <tedm@toybox.placo.com> Cc: questions@freebsd.org Subject: RE: FreeBSD Firewall vs. Black Ice Message-ID: <15012.2780.995581.824426@guru.mired.org> In-Reply-To: <21735497@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Ted Mittelstaedt <tedm@toybox.placo.com> types: > Right, but you were talking about cost-benefit as though having a cracked > site is a cost that has to be considered. What I'm trying to point out is > that there's no excuse for having a cracked site - ie: the cost of a cracked > site is a bogus cost because el-cheapo firewalling that isn't half-bad is > available to anyone, no matter how little they know about firewalling. Um - do you really believe that there's such a thing as an uncrackable firewall? Short of disconnecting from the network, that is. Those "not half-bad" boxes work to keep script kiddies out, and will continue to do so if you update them regularly. They are only slightly harder to configure use than a rock, no matter how much you know about firewalling and networking. But I'm not convinced they'll stop a determined attack. For firewalls, it's really a cost-cost analysis. One cost is yours - how much it costs to set up and maintain your firewall. The other cost is the attackers - how much it's going to cost them to get through your firewall. The trick to avoiding breakins is to make their cost higher than the benefit they get from breaking in. Raising your cost should raise theirs. Setting things up so you have very low recovery times will lower theirs - and may not raise yours. Most home LANs probably won't attract the attention of anything more than script kiddies, so the PNP router/firewall boxes are probably sufficient. If you're a large company, a major web presense, an ISP, or a firewall expert (I'm not - I just had the privilege of having one of the best as a friend and client), you'll attract a more expert class of attention - and thus need a better firewall. > >The thing is, that whilst you know that's asking for trouble and I know > >that's asking for trouble; that's what the client is asking for! > There's a time when you have to give the customer trouble if that is what > they are asking for. If they truly want NT then provide it to the best that > it can be done and then when it falls apart, you can tell them "OK, now that > we have gone down that road and you have satisfied yourself that it's > worthless, let me do it the right way for you now" This is part of the consultants credo: "You must sometimes give the customer what they want. This is sufficiently strong medicine that a single does is usually enough." <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15012.2780.995581.824426>