RE: Hardening VS firewalling ?

From: Derek Spransy (
Date: 01/15/02

Date: Mon, 14 Jan 2002 21:33:49 -0500
From: "Derek Spransy" <>

I think that a lot of IT people with little security training think that a firewall is an all in one solution. I used to work for a place that thought because they had a firewall everything was safe. They didn't keep up on their policies, they didn't check the logs and they didn't patch their systems. I tried to tell them that if the WWW service running on port 80 that the firewall lets in is vulnerable, a firewall won't do jack. They didn't listen :)

<<< "leon" <> 1/13 11:56a >>>
Hash: SHA1

People commonly compare security to an onion as both are layered.

Firewalling is one layer, hardening is another layer, ids is yet
another layer, then you have physical security, strong
authentication, yadda yadda

However once you start having layers security becomes more like a
chain (only as strong as your weakest link). So I am not saving
don't have layers (the more layers the better) just don't assume
because you have a firewall you don't need to harden (or any
combination; I have an ids and a firewall who needs to patch?)

Hope everyone is having a nice weekend,


- -----Original Message-----
From: Octavio / Super []
Sent: Tuesday, January 08, 2002 4:57 AM
To: Omar Koudsi;
Subject: Re: Hardening VS firewalling ?

If I have to choose _only_ one, then I would go for security patches,
but if I use time optimization as a base for my decision, then I
would firewall to deny everything except explicitly necessary
services and then I would security-patch all of those explicitly
allowed services.

If time is not of my concern, I would to that, plus I would develop
security policies, like more secure passwords, secure practices, I
would have the employees/students take a course on computing culture,


At 02:29 a.m. 08/01/2002 0200, Omar Koudsi wrote:
>OK, I know this is more of a theoretical debate, because in reality
>we are able and should do BOTH.
>But according to you, which is more important? Paying attention to
>having great firewall with a great ACL more than hardening and
>patching the systems? Or not have to worry about the firewall or
>having one at all and concentrate on applying best practices to
>OS/APPS and making sure the OS/APPS is up date on patches?
>In the unlikely event that you had to choose one over the other (or
>some people would argue that this is a reality since time is limited
>and you can really concentrate on one) , which one would it be and
>Omar Koudsi
>IT Architect
>Network Security Center
>Special Systems Company
>Tel: (9626) 5664221
>Fax: (9626) 5681557

Version: PGPfreeware 6.5.8 for non-commercial use <>

TmDjLGFusezF 98EdOn7hU 5

Relevant Pages

  • RE: Hardening VS firewalling ?
    ... People commonly compare security to an onion as both are layered. ... Firewalling is one layer, hardening is another layer, ids is yet ... I have an ids and a firewall who needs to patch?) ... Subject: Hardening VS firewalling? ...
  • Re: Do I need Norton firewall now I have an ADSL modem/hub/router/firewall?
    ... >> A NAT router (not a true firewall) is a good outer layer in a layered ... >> The third layer is good software, ... > If you want true browser security, stop using Internet Explorer and use ... Check at least monthly for security ...
  • RE: [fw-wiz] GIDS, Intrusion Prevention: A Firewall by Any Other Name
    ... IMHO It is not really question of is it a firewall or is it something else ... layered approach to the security perimiter. ... the signature based ... Layer 2: Packet Filter ...
  • RE: Hardening VS firewalling ?
    ... The thing is what do you want your firewall to do? ... Hardening and Firewalling are two completely different things. ... and is as flexable as your security analyst. ... and the same for IIS servers? ...
  • RE: Basic Network Configuration
    ... The question that was asked was not "Should the firewall be ... Hardening and patching are OF COURSE important, ... Better Management for Network Security ...