David is not telling the whole story. If, like in many orgranizations, a
small fraction of one person's time is devoted to the firewall issue,
FW-1 gives good security at low overhead. Proxy-type firewalls are much
more labor intensive, and much less flexible, for relatively little
improvement in security. If you don't have time/resources to install special
client software on every machine (as required by most proxy firewalls), or
develop custom proxies wherever needed, then FW-1 is the best solution.
Of course the trusted users inside can tunnel out through FW-1 if they want
to. But trusted users who want to leak information will not be stopped
by an application level firewall either, unless you body search everyone for
bootleg media and also cut off all modem access. (Pretty draconian.)
You have to decide what level of security is right for your organization
and apply the same level consistently. FW-1 may be right for you.
Disclaimer: I don't speak for NEC, Checkpoint, or Sun in any capacity.
-----------------------------------------------------------------------
Ed Strong EMAIL: ems @
ccrl .
nj .
nec .
com
-----------------------------------------------------------------------
Follow-Ups:
References:
-
Re: FW-1, etc.
From: David Miller <isdmill @
gatekeeper .
ddp .
state .
me .
us>
|
|
