Date: Thu, 8 Dec 2005 11:25:00 -0600 From: Will Maier <willmaier@ml1.net> To: freebsd-pf@freebsd.org Subject: Re: Firewall concepts Message-ID: <20051208172500.GW2413@merkur.atekomi.net> In-Reply-To: <AE41C3C123D61B45B457F3037275842F1E08B0@DC-EX-001.evendi.local> References: <AE41C3C123D61B45B457F3037275842F1E08B0@DC-EX-001.evendi.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 08, 2005 at 03:47:00PM +0100, Marcus Franke wrote: > Concerning the manageability I would say, yes, you are right. One > should invent a solution like the manageability of WinXP SP2 with > the help of the ActiveDirectory in a windows server domain. > One ruleset for all boxes. There are several implementations of this idea; cfengine being perhaps the most popular. If you're only managing a few hosts, you could probably also use a versioning sysem like CVS or SVN to achieve a similar effect. > But, often you read that attacks against servers will be done from > the inside network. This is why 'defense in depth' has become a popular mantra for infosec people of late. Defending the perimeter often isn't enough, especially in difficult-to-control environments (like some businesses or most universities). Centrally administered host firewalls often help plug holes that can't be covered on the perimeter. -- o--------------------------{ Will Maier }--------------------------o | jabber:..wcmaier@jabber.ccc.de | email:..........wcmaier@ml1.net | | \.........wcmaier@cae.wisc.edu | \..........wcmaier@cae.wisc.edu | *------------------[ BSD Unix: Live Free or Die ]------------------*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051208172500.GW2413>