>> As far as I'm concerned, the proper filtering is to not pass packets.
>> That's the way we run. People must ftp stuff onto the firewall, then
>> off, or log in and telnet out.
Our experience at Xerox PARC is that one of the weakest links is the
users poor selection of passwords on the firewall gateway (despite
guidelines, password checking programs, etc). The larger the
commercial internet, the more logins on the firewall, the less secure
We switched to using the Sun proxy gateway system to eliminate all the
user logins for outbound telnet/ftp. In my opinion, this is a far more
secure state, plus the users get the increased functionality of direct
access from their home machines. The proxy client interface is trivial
and it is easy to access and use from most types of machine. People
have also hacked together Mac and Next interfaces here at PARC.
There are many other aspects to the Xerox PARC firewall system to
support the various needs of a diverse R & D community, but I'm not sure
it is a good idea to go into all the details here.