Re: Sidewinder vs Netscreen as layer 3 firewall only.
Next message: Mungo: "Re: Trojan won't die"
Date: 13 May 2005 21:23:14 GMT
[Michael Pelletier wrote in comp.security.firewalls]
>> firewall
>> | |
>> |
>> redline
>> reverse
>> proxy
>> |
>> |
>> webservers
> Honestly, I would recommend using a combination of layer 3/4 firewalls *AND*
> an application firewall. This is a good security setup. A layer 3/4
> firewall alone is not adequate now-a-days...
Indeed. The Redlines we have act as an application firewall (even though
that's not strictly their intended purpose.)
Which is why we don't want to duplicate the work by having a Sidewinder
perform the same role. Especially as Secure Computing tell us that
turning it off will give us the throughput performance we need..
Cheers
-a
--
http://fotoserve.com/ - Prints, Slides, Posters, Mugs, T-shirts,,
Calendars, Jigsaws, Tableware, Caricatures, Greetings cards, Picture
bags, Photo Album and Book covers, Canvas Prints, tissues and more
..... from your own digital images.
Next message: Mungo: "Re: Trojan won't die"
Relevant Pages
- Re: can sasser& Blaster get to the computer?
... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
(microsoft.public.windowsxp.help_and_support) - Re: can sasser& Blaster get to the computer?
... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
(microsoft.public.windowsxp.network_web) - Re: can sasser& Blaster get to the computer?
... Because of a hardware conflict I cannot update the laptop. ... >>Will the desktop computer with the firewall also protect the laptop even if>>I disable the firewall on the laptop? ... Each layer is necessary because no> layer produces complete protection. ...
(microsoft.public.windowsxp.general) - Re: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet
... Among other things, there are race conditions such that the lookup could return one pcb in the input path and use that for the check, but another pcb during TCP-layer delivery. ... One idea that I'd been pondering was having the inpcb code in the TCP/UDP/SCTP/etc layers invoke event handlers as bindings/connections are made, making credentials and other information available to firewall packages, which could then cache information under their own locks. ... In Mac OS X Leopard, many of the traditional "firewall" sorts of checks are now performed at the socket layer using this sort of approach -- this provides greater application context, allows control of things like binding/listening, not just packet transmission and receipt, and provides access to the data as received at the application layer rather than at the datagram layer, avoiding the need for normalization. ...
(freebsd-current) - Re: Attention pf/ipfw users with uid/gid/jail rules (Re: Reminder: NET_NEEDS_GIANT, debug.mpsafenet
... Among other things, there are race conditions such that the lookup could return one pcb in the input path and use that for the check, but another pcb during TCP-layer delivery. ... One idea that I'd been pondering was having the inpcb code in the TCP/UDP/SCTP/etc layers invoke event handlers as bindings/connections are made, making credentials and other information available to firewall packages, which could then cache information under their own locks. ... In Mac OS X Leopard, many of the traditional "firewall" sorts of checks are now performed at the socket layer using this sort of approach -- this provides greater application context, allows control of things like binding/listening, not just packet transmission and receipt, and provides access to the data as received at the application layer rather than at the datagram layer, avoiding the need for normalization. ...
(freebsd-net) |
|
