On Thu, Feb 5, 2015 at 10:47 AM, Roland Dobbins <rdobbins@arbor.net> wrote:
On 6 Feb 2015, at 0:38, Raymond Burkholder wrote:
There must some sort of value in that?
No - patch the servers.
Patching servers protects against >0 Day attacks only. This does not protect against 0 day attacks, unless you know of an OS vendor that writes good code without security holes. What type of device needed depends on risk, what you are protecting, what attacks are important, etc. It's not a simple matter of "firewall bad" or "firewall good". I won't even get into the stateless-vs-stateful debate, because it's more complex than "stateful bad" (*cough* SIP *cough*). Nor will I mention that it depends on what your protecting to figure out how much of each of availability or confidentiality or integrity you need - you might need lots of integrity but little availability, for instance.