Re: 2000 server solution

From: Leythos (void_at_nowhere.com)
Date: 10/21/03 

Date: Tue, 21 Oct 2003 18:29:47 GMT

In article <bn3pif$3av$1@news.shlink.de>, wolfgang@shconnect.de says...
> Leythos wrote:
>
> >> [...] If
> >> you can do content filtering on layers 2 or 3 (that is where packet
> >> filters operate) I'll fly to Mars tomorrow.
> >
> > The WatchGuard Firebox line of appliances has provided this function for
> > more than 5 years.
>
> Definitely not on layer 2 or 3. While you look at the device, I look at the
> layer model and on which layer the filtering done by the device takes
> place. So, on wich layer does Watchguard operate, when it strips email
> attchments?

Why would you care what layer it's done at - all that matters is that
the attachments are blocked/removed from the messages.

> > You can buy a small WG FB unit for under $800 that
> > will do this function.
>
> Not on the layer 2 or3.

Again, WTF? Why does it matter which layer it's done at as long as the
firewall device removes it.

> > No one said you have to make it easy to find.
>
> Give me a reason to hide something, that is designed for public access.

Because in the real world, you are not the one deciding what is
available for public access - the chap that designs the security
structure is the one that decides what is and is-not for public access.

I can leave the server setup for PING and allow a LAN to DMZ rule to
pass it, but I can block the WAN to DMZ pings. Give it up.

> > If I have a web server I can run it on port 80 (or any other port)
>
> Yes, that is normal.
>
> > and don't have to expose any other ports to the public.
>
> Why not? If nothing is listerning on the other ports there is no reason to
> hide these ports from the public (always assuming that the stack is not
> vulnerable). Nothing running there, tcp-rst or icmp port unreachable is
> sent, done.

If there is no reason to expose them there is reason to leave them open.
In your example you would leave all the security up to something you
only might partially understand. In most real world examples, we block
everything until there is a reason to open it.

This is the reason that most firewalls block ALL ports in both
directions until a rule is created to do otherwise.

[snip]

Wolf, I give up with you. Keep your ideas on security (or insecurity)
and have fun with them. 

-- 
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Relevant Pages

  • Re: Homo & molluscs
    ... Any reason why you think these animals could not have lived next to ... No reason at all Marc. ... Don't allow Marc's idiocy to serve as an excuse for Savanna idiocy. ... The highest layer, at about ...
    (sci.anthropology.paleo)
  • Re: What would be a truly relational operating system ?
    ... lower physical layer (I mean on current disks, RAM, and CPU ... between the HW and compiler designers. ... non-IBM book called 'Invitation to MVS'. ...  I guess part of the reason is that they have ...
    (comp.databases.theory)
  • Re: Homo & molluscs
    ... No reason at all Marc. ... Don't allow Marc's idiocy to serve as an excuse for Savanna idiocy. ... >> processing of animal tissues in east Asia. ... The highest layer, at about ...
    (sci.anthropology.paleo)
  • Re: Textured Concrete floor redo
    ... Any hints on how to apply it so that it gets pretty flat, and you don't use tons and tons of it? ... Is this a DIY job, or one for the floor guys, providing their price is reasonable? ... Maybe a layer of those panels they sell for underlayment in basement applications? ... No reason they wouldn't work above grade. ...
    (alt.home.repair)
  • RE: Use of Taps for IDS
    ... this is a layer 1 (physical ... Note that this usually requires all the ports to be of a single ... of each connected machine whenever a frame is sent. ... the switch typically floods ALL ports with the ...
    (Focus-IDS)
Quantcast