Re: Hardening VS firewalling ?

From: Jeff Giuliano (
Date: 01/08/02

Date: Tue, 08 Jan 2002 12:21:09 -0500
From: Jeff Giuliano <>
To: Omar Koudsi <>

I would choose hardening, because ultimately (in general)
it is a host that is being compromised, not a network
(at least not directly). You can firewall all you want but
if you are not configuring the services securely that you DO
let through then you are still at great risk. Additionally,
if you remove services from running on a server or host,
than the need for firewalling diminishes. It does not
disappear ofcourse.

For example, you firewall out port 111, RPC, and others, but
you have an FTP server running, not chroot'ed with anonymous
rwx access. Or, you remove RPC and other unnecessary
services, chroot FTP and remove or restrict anonymous FTP
access. Ok, that's a little exaggerated but you get my

No firewalling leaves you vulnerable to network attacks,
and others ofcourse.

Hope that helps.


Omar Koudsi wrote:
> OK, I know this is more of a theoretical debate, because in reality we
> are able and should do BOTH.
> But according to you, which is more important? Paying attention to
> having great firewall with a great ACL more than hardening and patching
> the systems? Or not have to worry about the firewall or having one at
> all and concentrate on applying best practices to OS/APPS and making
> sure the OS/APPS is up date on patches?
> In the unlikely event that you had to choose one over the other (or some
> people would argue that this is a reality since time is limited and you
> can really concentrate on one) , which one would it be and why?
> Regards,
> -----------
> Omar Koudsi
> IT Architect
> Network Security Center
> Special Systems Company
> Tel: (9626) 5664221
> Fax: (9626) 5681557

Relevant Pages

  • Re: One computer cant see the other.
    ... I'm not sure I'm doing this right Steve, but on the command prompt at my host ... command prompt on my host machine and my client machine when I ping the host. ... network of two computers. ... The most likely problem is that a firewall (Norton, McAfee, ZoneAlarm, ...
  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
  • Re: XP Pro Network Cant ping
    ... Proir to that my network work just fine ... >and I was using remote desktop from the host to my tablet. ... I can ping any of the computers on the 192.168.0.x subnet excepting ... >matter if I firewall the local subnet or not, ...
  • Re: Firewall Appliances
    ... around me that like Windows and Microsoft products and unfortunatally ... >> I've got a quick question about firewall appliances. ... >> protection for my home network or do I need to have a firewall ... that it is too flawed to be shown open on _any_ host in your ...
  • Re: pcAnywhere...Outbound Only.
    ... >to connect to a host OUTSIDE of our network. ... Our firewall administrator, came to me and asks me if I had any ... >list of employees that can do this. ...