Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1997

NFR Wizards Archive: Re: Facts, not Fiction

Re: Facts, not Fiction

Bennett Todd (betrahul.net)
Fri, 14 Nov 1997 03:46:46 -0800

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Aleph One: "Re: chroot useful?"
Previous message: Bernhard Schneck: "Re: chroot useful?"
In reply to: Douglas R. Steinbaum: "Re: chroot useful?"
Next in thread: chuck yerkes: "Re: Facts, not Fiction"

1997-11-13-06:12:01 Chris Brenton wrote:
> Andreas Siegert wrote:
> > Unless the customer is on an extreme low budget, I alway use a
> > multistage design. Anything else would be irresponsible in my
> > opinion.
> I guess I have a bit of a problem with blanket statements like this
> one. It insinuates that there is a "one size fits all" solution to
> protecting a network which is clearly not the case. A risk analysis
> should be performed in order to determine what level of security is
> actually required.

I hadn't really thought about it in as many words before, but now that
you rub my nose in it, I guess I have come to endorse a bit of a ``one
size fits all'' approach to firewalls. Really, it's more like a few
sizes fit all, though. My decision tree looks like:

- If it's a tiny shop with a trivial security policy and a near-zero
  budget, set 'em up with a trivial little firewall based on my OS of
  choice (Red Hat Linux), stripped of all standard daemons, running
  ipfw+fwtk. Give them the standard off-the-shelf security stance,
  something along the lines of ``inbound&outbound proxied email, and
  access to proxied WWW _only_, proxied through a cascade of squid (for
  performance feeding from http-gw (for applet stripping)''. Then
  discuss the limitations of this stance with them, and why those limits
  are often good, and see what needs changing.

- If there's enough more money around to be able to afford it, toss a
Cisco 2500-series router just outside the above fw configured as a
screening router.

- If we're still awash in money explain alternative commercial
offerings, with their tradeoffs of support -vs- cost.

- As the site gets bigger and its demands grow, increase performance if
  necessary by adding additional proxy hosts; accomodate more complex
  requests for frobbing the security policy by implementing more complex
  configurations of the proxying software, possibly assisted with
  additional hosts.

My feeling is that a risk analysis is valuable, but that you only really
get the benefit of it when you have a nearly-infinite budget; when funds
are tight the cost of the detailed analysis comes out of the
implementation budget, and you're better off giving them a known-good
firewall setup, initially set for a quite conservative stance, that can
be easily tweaked for minor changes from that stance.

-Bennett

Next message: Aleph One: "Re: chroot useful?"
Previous message: Bernhard Schneck: "Re: chroot useful?"
In reply to: Douglas R. Steinbaum: "Re: chroot useful?"
Next in thread: chuck yerkes: "Re: Facts, not Fiction"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:09:48 CDT