Date: Sun, 4 Mar 2001 10:01:48 -0600 From: Mike Meyer <mwm@mired.org> To: "Ted Mittelstaedt" <tedm@toybox.placo.com> Cc: questions@freebsd.org Subject: RE: FreeBSD Firewall vs. Black Ice Message-ID: <15010.26348.659989.455852@guru.mired.org> In-Reply-To: <8738640@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Ted Mittelstaedt <tedm@toybox.placo.com> types: > Where firewalling gets costly, as in sucking up your time or paying someone > else, is when you want to have your cake and eat it too - ie: you want to be > protected, but you also want to offer services or do different things, and > you also want the firewall to be invisible to you, from the inside. This is why you run two firewalls. One does little more than your basic $100 Linksys box, and sits between your internal network and the rest of the world. Your service boxes sit outside of it, in the dmz. The second firewall sits between those and the internet proper. No connections go from the outside world to the internal network (and very little from the dmz to the internal network). You then set the world up so that the service boxes are *generated* from data on the internal box. Not backed up, but built. When one of the goats gets compromised, you close the hole in the build data, install a new OS and rebuilt from the internal data. > >Personally I'ld rather err on the safe side, but MicroSoft has shown > >by its continued existence that the world thinks otherwise. IOW MS > >grocks the world, sad as it may be. > Remember that Microsoft products are designed for internal corporate use, > not external Internet server production use. Internal corporate networks > are generally more friendly than the public Internet. That isn't sufficient explanation for their continuing to ship LookOut with the virus-enabling - uh, script-enabling - tools turned on by default. Unless you disallow external mail, you get as much exposure to mail problems inside as you do outside. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15010.26348.659989.455852>