Definately true, and worth mentioning. There is also the point that several of the punier devices that one might thrust into the horde of angry packets might have crummy stacks or be vulnerable to the silliest of things (especially in the case of consumer grade equipment). If the hardware is already there (cpe with filtering capabilities, routers, etc) then I'd advise people to consider the pro's of security vs cons of managing it. Deciding between a spof (router/cpe and likely a couple ethernet cables) and a firewall that is more disrespectful to unwanted packets is a tough call for me in the workplace. If the router/cpe can take a beating then I might live with it and sleep a little better at night -- though such decisions take testing and careful consideration.
I'm too paranoid to say on this list before the masses that "iptables is enough" in the workplace. For others it may be enough, and that is fine. There is a bigger picture to be seen for those who care, and my apologies if my response is steering this discussion further off topic than the original poster was seeking. I don't intend to suggest that iptables is inferiour, or that if you use iptables as your only means of filtering you suck. I'll make an effort to be more on-topic in the future. A few things touched a nerve and I probably should have just clammed up and rolled with them. Something being "good enough" just grabbed me and squeezed in the wrong places. :) -ian On Thu, 20 Mar 2003, Keegan Quinn wrote: > On Wednesday 19 March 2003 01:07 pm, Ian Garrison wrote: > > Imo iptables is a reasonably good stateful firewall and is fine in most > > cases. However, a very wise person once said that the ideal setup is to > > layer more than one implementation of packet filter and firewall between > > the wild and a host/network you wish to protect. Ideally implementations > > on diverse platforms. > > Just remember, that when you do this, you are introducing an additional point > of failure for each device in the chain. Some people like to keep these at a > minimum, especially in the 'revenue-generating' environments you describe. > > - Keegan > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
