On Tue, 16 Mar 2004 14:27:16 PST, Nicole <nmh@daemontech.com> said:
From what I have heard a proxy firewall would be best?
I'll go out on a limb here and say that the actual make and model of the firewall don't matter anywhere *near* as much as a proper understanding on the client's part of what a firewall can and can't do. It can let you know when somebody's poking at your site. But it can't do it on its own, somebody *will* have to read the logs (even if you use a good log-filtering package to trim out all the true noise). It can't automagically secure your site. All it takes is *one* laptop or VPN connection to the "inside" from a compromised machine and you're history. The most successful firewall installs I've encountered have invariably considered the firewall not as a "prevention device" but as an "IDS with a bad attitude". A firewall is *never* an acceptable substitute for proper end-host security procedures - the end host *must* be fully prepared to deal with a total breach of the firewall (remember - a firewall will never stop a disgruntled employee).