Assuming you are only allowing in traffic to enable connections to services running in DMZ (from private & public segments), a firewall is a necessary but insufficient link in the security "chain". They differ in capabilities and options, but essentially firewalls are up-to-layer 4 devices, with a few incursions into upper layer protocols for ftp and H.323. Individual services need to be protected by application-specific firewalls (such as SecureIIS for IIS; smtp, SQL, Exchange and Notes have similar add-ons), host-based intrusion-detection, network intrusion detection, host-based O/S integrity checkers (TripWire), anti-virus software, etc... Clients in the private zone need to be transparently (or forcibly) put through a Proxy + Virus & optionally content inspection for http, ftp and smtp protocols. All of the above provides protection from Internet threats, private networks could use anti-virus software (with forced auto-updates from a local server which updates daily its virus definitions from the AV software vendor), network IDS, host IDS & O/S integrity checker for local servers, secure network resource access policy, authentication, strong encryption of sensitive traffic... Permitting only allowed traffic and blocking everything else is also a good general practice. It invariably generates complaints from users, but it is more restrictive and far safer than allowing everything except what is not permissible. Finally, more important than all of the above, you need the human resources to manage the different components of security. Someone's got to watch and interpret the logs generated by the devices and applications, and take corrective action if necessary. _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 06:23:03 PDT