On 1/9/10 10:32 PM, "Dobbins, Roland" <rdobbins@arbor.net> wrote:
On Jan 10, 2010, at 1:22 PM, harbor235 wrote:
Again, a firewall has it's place just like any other device in the network, defense in >>> depth is a prudent philosophy to reduce the chances of compromise, it does not >>>eliminate it nor does any architecture you can think of, period
What a ridiculous statement - of course it does.
*The place of the stateful firewall is in front of clients, not servers*.
I'm not going to continue the unequal contest of pitting real-world operational experience against Confused Information Systems Security Professional brainwashing. One can spout all the buzzwords and catchphrases one wishes, but at the end of the day, it's all dead wrong - and anyone naive enough to fall for it is setting himself up for a world of hurt.
I certainly understand and agree with your position, in most cases, but there are some instances when a firewall serves an excellent purpose. As an example, we manage hundreds of heterogeneous servers where customers also have administrative access to the devices. As such, we can never be sure they haven't changed something that can negatively impact the security of the server or servers. However, since the firewall is a magic box they don't want anything to do with it. This means that I can keep a server fairly secure from extraneous cruft and have a demarcation point into and out of the customer's environment that I control. I understand this does nothing for SQL injection, XSS, and other application-layer mischief, but it does wonders for keeping all the other stuff blocked, even when an customer "admin" says "why do I need Windows Firewall?" I wish I had a perfect world where I had a homogenous server environment that I controlled all the way through the stack with only one Management Layer to deal with. But, I'm glad I don't because these customers pay my salary. Regards, Mike