On Sunday 25 May 2008 12:13:55 pm Ron Johnson wrote: > On 05/25/08 14:03, Paul Johnson wrote: > > On Saturday 24 May 2008 04:19:20 pm Todd A. Jacobs wrote: > >> On Sat, May 24, 2008 at 11:47:05AM -0700, Paul Johnson wrote: > >>> I see no advantage to host-based firewalls that couldn't be better > >>> served by a router doing filtering at the edge of the network. > >>> There's no reason to expose machines directly to the internet. > >> > >> Internal threats? A compromised host? Lazy sysadmins? Ignorant users? > >> How would your perimeter security help there? > > > > You can't solve social problems with technological means effectively. > > Odds are, if they're on your internal network and you consider them a > > security threat, you have deeper security problems than can't be solved > > short of door locks and ensuring nobody outside can get a connection. > > What Todd is referring to is Defense In Depth, i.e. a layered defense. I understand what he's getting at, but at the point they're as close as Todd is suggesting, perhaps it would be better to ensure no unnecessary services are running in the first place, and that libpam hasn't been toyed with to be unnecessarily insecure. Who cares what ports are open if the attacker can just visit the machine. -- Paul Johnson baloo@ursine.ca Explaination of .pgp part: http://linuxmafia.com/faq/Mail/rant-gpg.html
Attachment:
signature.asc
Description: This is a digitally signed message part.