Not to mention the obvious observation that a firewall designed to "fail open" must not have anything of any importance behind it, so it (the firewall) merely exists for "checkbox compliance" with the checklists of incompetent arseholes and clueless retards, and not because it serves (or is intended to serve) any useful purpose.
-- Be decisive. Make a decision, right or wrong. The road of life is paved with flat squirrels who could not make a decision. >-----Original Message----- >From: cisco-nsp <[email protected]> On Behalf Of Gert >Doering >Sent: Tuesday, 11 August, 2020 01:18 >To: Yham <[email protected]> >Cc: [email protected] NSP <[email protected]> >Subject: Re: [c-nsp] Campus Network - Deployment mode of Perimeter >Firewalls > >Hi, > >On Mon, Aug 10, 2020 at 11:33:06PM -0400, Yham wrote: >> Thanks for your comments. I kinda agree with you on avoid using >transparent >> mode however not clear why you wouldn't want your north-south traffic >pass >> through perimeter security devices (FWs). how would you protect your >> network from outside if you don't have firewalls in the traffic path? I >> have seen some enterprises use by-pass switches to go around the >firewalls >> in case of an unexpected failure from where firewalls can't recover. > >What is the point of a firewall in front of a web server? > >The web server should not have any services running besides "web", and >these have to be available from the outside. > >Adding a firewall means "you put a device in front of it that can handle >less load and costs more" - but where's the security gain? > >gert > >-- >"If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never >doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh >Mistress > >Gert Doering - Munich, Germany >[email protected] _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
