Firewall Wizards mailing list archives

Re: Facts, not Fiction

From: Andreas Siegert <afx () ibm de>
Date: Mon, 24 Nov 1997 17:51:32 +0100

Sorry for coming back to you solate, I was gone for a while...

Quoting Chris Brenton (cbrenton () sover net):

I guess I have a bit of a problem with blanket statements like this one. It
insinuates that there is a "one size fits all" solution to protecting a network
which is clearly not the case. A risk analysis should be performed in order to
determine what level of security is actually required. Let me throw out a few
examples:


Well, multistage doesn't mean one size fits all.
For me it means that I need to utilize at least a packet filter and and
application gateway. Of course, there can be much more to it.

Case 1: A pure Mac shop with an ISDN connection to the Internet. There are no
internal IP services. Users connect through the ISDN connection in order to access
POP mail from an ISP and browse the web.


Good ISDN routers have a packet filter and using a local proxy surely helps
performance, security and enforces local access policies.
But I must admit I rarely work with customers in that class.

Case 2: A national bank running the latest UNISYS system with integrated NT
server. System access is via IP. The bank has a T1 connection to the Internet and
wishes to allow customers to administrate their bank accounts via the Internet.


Then I probably I have three stages at least plus a lot of stuff around it...

While these two cases are a bit extreme, it's clear that they do not require the
same level of security. A multistage design for case 1 would probably be overkill.
Again, this is all IMO. Insisting that a multistage design is always required so
long as the customer can afford it, rings too much like a sales person who knows
what they want to sell you before they even know what you need.


If I recommend a solution, my name is on it. In this business, you live by
reputation. Therefore I will never recommend a solution that I would refuse to
accept for myself. 

bye
afx
-- 
Andreas Siegert       afx () ibm de / afx () barolo munich de ibm com / AFX at IPNET
PGP Key:http://www.muc.de/~afx/pubkey.asc, KeyId AB26FD05

Current thread:

Facts, not Fiction Hartmut . Fehling (Nov 07)
- Re: Facts, not Fiction Marcus J. Ranum (Nov 07)
  - Re: Facts, not Fiction Darren Reed (Nov 08)
- Re: Facts, not Fiction Bennett Todd (Nov 10)
- <Possible follow-ups>
- Facts, not Fiction Andreas Siegert (Nov 12)
  - Re: Facts, not Fiction Chris Brenton (Nov 13)
    - Re: Facts, not Fiction Bennett Todd (Nov 14)
    - Re: Facts, not Fiction Chris Brenton (Nov 14)
    - Re: Facts, not Fiction chuck yerkes (Nov 14)
    - Re: Facts, not Fiction Chris Brenton (Nov 15)
    - Re: Facts, not Fiction Andreas Siegert (Nov 24)