> On Wed, 20 Dec 1995, Craig Anderson wrote:
>
> > > Don't forget to harden the underlying OS before installing, a
> > > point which the manual makes no mention of. I've seen FW-1s running
>
> > I say that this is not necessary. If you set up your filters
> > correctly, then Solaris will never see any packets it's not
> > supposed to since the filters operate between the ethernet
>
> Uhh. Wait a minute. Are you running sendmail? and ftp server? Then you
> should. What about someone who decides to tunnel past your firewall and
> launches an IP w/i IP attack, esp. w/ UDP? What about someone from
> inside who wants to gain root? Your firewall can be your best defense,
> but theres always a way around one if you know your stuff (at least
> that's the approach that I take)...
>
> Brain21
If you don't allow any packets to land on the firewall (all services
are provided by other machines on the DMZ) then there is no risk to
the firewall itself. The DMZ machines are at risk, but they are in
captivity and can't get too far. But I don't let packets land on
the firewall from either inside or out; it only routes within the
constraints of the filters.
Craig
Follow-Ups:
References:
|
|
