Re: Need Help Building Linux Based Firewall

[Devdas Bhagat <dodobh () nettaxi com>]

On 28/11/02 09:23 +0530, phani () myrealbox com wrote:
<snip>
> > 2.  What are the application/software required to be installed?
> Again, if you are running a separate box as the firewall , then *no* app 
> shld be installed except for the firewall. 
What about application proxies? SOCKS? I would definitely consider
proxies as part of a firewall (OSI layer 7).
If you mean a firewall only as a stateful packet filter, then yes no
applications should be running there. But if you consider a firewall as
a security system, then application layer proxies should be included in
too.
The best packet filter in the world will not protect your unpatched
public Apache box from being exploited. OTOH, breaking into a patched
Apache box is a different issue.
Security is a process. Defense must be in depth.
ACLs on the edge routers to prevent RFC 1918 addresses from entering
your network, egress filtering, SPFs to reduce noise close to
the edge, Application layer firewalls defending applications, secure
code in the applications themselves, encrypted network communications,
IDS, clued up users..........

The ultimate firewall of course, is secure code, running on a
physically secure machine, with level 8 security in place.

Firewalls as a bandage for bad code are a bad idea. Properly used to
segment networks with varying security requirements, they can be useful.

Devdas Bhagat