Re: SANS Top Ten and Commercial Firewalls

["George J. Jahchan" <Firewall-Wizards () Tech InteractiveNetworks net>]

Assuming you are only allowing in traffic to enable connections to services
running in DMZ (from private & public segments), a firewall is a necessary
but insufficient link in the security "chain". They differ in capabilities
and options, but essentially firewalls are up-to-layer 4 devices, with a few
incursions into upper layer protocols for ftp and H.323.

Individual services need to be protected by application-specific firewalls
(such as SecureIIS for IIS; smtp, SQL, Exchange and Notes have similar
add-ons), host-based intrusion-detection, network intrusion detection,
host-based O/S integrity checkers (TripWire), anti-virus software, etc...

Clients in the private zone need to be transparently (or forcibly) put
through a Proxy + Virus & optionally content inspection for http, ftp and
smtp protocols.

All of the above provides protection from Internet threats, private networks
could use anti-virus software (with forced auto-updates from a local server
which updates daily its virus definitions from the AV software vendor),
network IDS, host IDS & O/S integrity checker for local servers, secure
network resource access policy, authentication, strong encryption of
sensitive traffic...

Permitting only allowed traffic and blocking everything else is also a good
general practice. It invariably generates complaints from users, but it is
more restrictive and far safer than allowing everything except what is not
permissible.

Finally, more important than all of the above, you need the human resources
to manage the different components of security. Someone's got to watch and
interpret the logs generated by the devices and applications, and take
corrective action if necessary.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards