RE: Hardening VS firewalling ?

From: Derek Spransy (spransd@ohs.orange.k12.nc.us)
Date: 01/15/02


Date: Mon, 14 Jan 2002 21:33:49 -0500
From: "Derek Spransy" <spransd@ohs.orange.k12.nc.us>
To: leon@inyc.com, omark@jeeran.com, security-basics@securityfocus.com, alvarezp@telnor.net

I think that a lot of IT people with little security training think that a firewall is an all in one solution. I used to work for a place that thought because they had a firewall everything was safe. They didn't keep up on their policies, they didn't check the logs and they didn't patch their systems. I tried to tell them that if the WWW service running on port 80 that the firewall lets in is vulnerable, a firewall won't do jack. They didn't listen :)

<<< "leon" <leon@inyc.com> 1/13 11:56a >>>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

People commonly compare security to an onion as both are layered.

Firewalling is one layer, hardening is another layer, ids is yet
another layer, then you have physical security, strong
authentication, yadda yadda

However once you start having layers security becomes more like a
chain (only as strong as your weakest link). So I am not saving
don't have layers (the more layers the better) just don't assume
because you have a firewall you don't need to harden (or any
combination; I have an ids and a firewall who needs to patch?)

Hope everyone is having a nice weekend,

Leon

- -----Original Message-----
From: Octavio / Super [mailto:alvarezp@telnor.net]
Sent: Tuesday, January 08, 2002 4:57 AM
To: Omar Koudsi; security-basics@securityfocus.com
Subject: Re: Hardening VS firewalling ?

If I have to choose _only_ one, then I would go for security patches,
but if I use time optimization as a base for my decision, then I
would firewall to deny everything except explicitly necessary
services and then I would security-patch all of those explicitly
allowed services.

If time is not of my concern, I would to that, plus I would develop
security policies, like more secure passwords, secure practices, I
would have the employees/students take a course on computing culture,
etc.

Octavio.

At 02:29 a.m. 08/01/2002 0200, Omar Koudsi wrote:
>OK, I know this is more of a theoretical debate, because in reality
>we are able and should do BOTH.
>
>
>But according to you, which is more important? Paying attention to
>having great firewall with a great ACL more than hardening and
>patching the systems? Or not have to worry about the firewall or
>having one at all and concentrate on applying best practices to
>OS/APPS and making sure the OS/APPS is up date on patches?
>
>In the unlikely event that you had to choose one over the other (or
>some people would argue that this is a reality since time is limited
>and you can really concentrate on one) , which one would it be and
>why?
>
>Regards,
>
>
>-----------
>Omar Koudsi
>IT Architect
>Network Security Center
>Special Systems Company
>http://security.sscjo.com
>omark@sscjo.com
>Tel: (9626) 5664221
>Fax: (9626) 5681557

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPEG8V9qAgf0xoaEuEQItGwCgihAJaZTKgQlprIdKzyqINdwli2gAoMwE
TmDjLGFusezF 98EdOn7hU 5
=frma
-----END PGP SIGNATURE-----