My MUA insists that Bill Stout wrote:
> If placing a firewall at the internet only addresses 20% of the
> security breaches, why not address part of the 80% internal
> breaches by moving (the) firewall towards the servers?
> Has anyone done this?
> Internet---Router---Desktops---Firewall----Servers/Multiuser systems
> I realize the desktop systems can't have 'services', but hopefully
> all critical data will reside on servers only.
The issue I have with this is the trust that is necessary between the servers and desktop systems. I see firewalls primarily sitting at the interface between networks (Internet or, as much as I hate to use a new buzzword, Intranet). I agree that it could be useful to have some of the same functionality of a firewall where you suggest in certain environments, but not likely a fullblown firewall.
However, simply shifting or expanding the location of the firewall(s) misses the entire point of this 75-80% that has become so hip to mention lately. While critical data may 'reside' only on the servers, people need to see it for it to be useful. It will reach the desktop and the network the desktop uses in some form. To cover this part, security at the host, network, and social levels needs to be examined as well.
Paul M. Cardon - System Officer
Capital Markets Systems - First Chicago NBD Corporation
com - (312) 732-7392
I never give them hell. I just tell the truth and they think it's hell. - H. Truman
MD5 (/dev/null) = d41d8cd98f00b204e9800998ecf8427e