Date: Thu, 8 Dec 2005 11:25:00 -0600 From: Will Maier <willmaier@ml1.net> To: freebsd-pf@freebsd.org Subject: Re: Firewall concepts Message-ID: <20051208172500.GW2413@merkur.atekomi.net> In-Reply-To: <AE41C3C123D61B45B457F3037275842F1E08B0@DC-EX-001.evendi.local> References: <AE41C3C123D61B45B457F3037275842F1E08B0@DC-EX-001.evendi.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 08, 2005 at 03:47:00PM +0100, Marcus Franke wrote:
> Concerning the manageability I would say, yes, you are right. One
> should invent a solution like the manageability of WinXP SP2 with
> the help of the ActiveDirectory in a windows server domain.
> One ruleset for all boxes.
There are several implementations of this idea; cfengine being
perhaps the most popular. If you're only managing a few hosts, you
could probably also use a versioning sysem like CVS or SVN to
achieve a similar effect.
> But, often you read that attacks against servers will be done from
> the inside network.
This is why 'defense in depth' has become a popular mantra for
infosec people of late. Defending the perimeter often isn't enough,
especially in difficult-to-control environments (like some
businesses or most universities). Centrally administered host
firewalls often help plug holes that can't be covered on the
perimeter.
--
o--------------------------{ Will Maier }--------------------------o
| jabber:..wcmaier@jabber.ccc.de | email:..........wcmaier@ml1.net |
| \.........wcmaier@cae.wisc.edu | \..........wcmaier@cae.wisc.edu |
*------------------[ BSD Unix: Live Free or Die ]------------------*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051208172500.GW2413>