Firewall Wizards mailing list archives
Re: Facts, not Fiction
From: Andreas Siegert <afx () ibm de>
Date: Mon, 24 Nov 1997 17:51:32 +0100
Sorry for coming back to you solate, I was gone for a while... Quoting Chris Brenton (cbrenton () sover net):
I guess I have a bit of a problem with blanket statements like this one. It insinuates that there is a "one size fits all" solution to protecting a network which is clearly not the case. A risk analysis should be performed in order to determine what level of security is actually required. Let me throw out a few examples:
Well, multistage doesn't mean one size fits all. For me it means that I need to utilize at least a packet filter and and application gateway. Of course, there can be much more to it.
Case 1: A pure Mac shop with an ISDN connection to the Internet. There are no internal IP services. Users connect through the ISDN connection in order to access POP mail from an ISP and browse the web.
Good ISDN routers have a packet filter and using a local proxy surely helps performance, security and enforces local access policies. But I must admit I rarely work with customers in that class.
Case 2: A national bank running the latest UNISYS system with integrated NT server. System access is via IP. The bank has a T1 connection to the Internet and wishes to allow customers to administrate their bank accounts via the Internet.
Then I probably I have three stages at least plus a lot of stuff around it...
While these two cases are a bit extreme, it's clear that they do not require the same level of security. A multistage design for case 1 would probably be overkill. Again, this is all IMO. Insisting that a multistage design is always required so long as the customer can afford it, rings too much like a sales person who knows what they want to sell you before they even know what you need.
If I recommend a solution, my name is on it. In this business, you live by reputation. Therefore I will never recommend a solution that I would refuse to accept for myself. bye afx -- Andreas Siegert afx () ibm de / afx () barolo munich de ibm com / AFX at IPNET PGP Key:http://www.muc.de/~afx/pubkey.asc, KeyId AB26FD05
Current thread:
- Facts, not Fiction Hartmut . Fehling (Nov 07)
- Re: Facts, not Fiction Marcus J. Ranum (Nov 07)
- Re: Facts, not Fiction Darren Reed (Nov 08)
- Re: Facts, not Fiction Bennett Todd (Nov 10)
- <Possible follow-ups>
- Facts, not Fiction Andreas Siegert (Nov 12)
- Re: Facts, not Fiction Chris Brenton (Nov 13)
- Re: Facts, not Fiction Bennett Todd (Nov 14)
- Re: Facts, not Fiction Chris Brenton (Nov 14)
- Re: Facts, not Fiction chuck yerkes (Nov 14)
- Re: Facts, not Fiction Chris Brenton (Nov 15)
- Re: Facts, not Fiction Chris Brenton (Nov 13)
- Re: Facts, not Fiction Andreas Siegert (Nov 24)
- Re: Facts, not Fiction Marcus J. Ranum (Nov 07)