Firewall concepts
Will Maier
willmaier at ml1.net
Thu Dec 8 09:24:35 PST 2005
On Thu, Dec 08, 2005 at 03:47:00PM +0100, Marcus Franke wrote:
> Concerning the manageability I would say, yes, you are right. One
> should invent a solution like the manageability of WinXP SP2 with
> the help of the ActiveDirectory in a windows server domain.
> One ruleset for all boxes.
There are several implementations of this idea; cfengine being
perhaps the most popular. If you're only managing a few hosts, you
could probably also use a versioning sysem like CVS or SVN to
achieve a similar effect.
> But, often you read that attacks against servers will be done from
> the inside network.
This is why 'defense in depth' has become a popular mantra for
infosec people of late. Defending the perimeter often isn't enough,
especially in difficult-to-control environments (like some
businesses or most universities). Centrally administered host
firewalls often help plug holes that can't be covered on the
perimeter.
--
o--------------------------{ Will Maier }--------------------------o
| jabber:..wcmaier at jabber.ccc.de | email:..........wcmaier at ml1.net |
| \.........wcmaier at cae.wisc.edu | \..........wcmaier at cae.wisc.edu |
*------------------[ BSD Unix: Live Free or Die ]------------------*
More information about the freebsd-pf
mailing list