On Fri, 24 Sep 2010 20:32:27 +0200 Ross Cameron <ross.came...@unix.net> wrote:
> > Thats just my 5c worth and I've always been of the opinion that at least two > different skins of firewalls should be deployed, build ontop of different > technologies. > Makes life a lot harder for whomever you want to keep out. > That's a sound and valid argument. I've even read something said to be by theo which suggested similar, showing his openness. There is however a counter argument which is also valid in that you may be adding a less secure stepping stone that has access to all your traffic therefore making an attackers job easier. The famous saying a networks is only as secure as it's weakest point could also be phrased weakest points. Of course, the fact your Linux is specially rolled would likely make it less of a weak point and I'm not knocking your setup but felt it important to make the point. Obviously layer 7 filtering, tcpdump and snort packet parsing also reduce your firewalls security too and should be well placed/controlled/isolated in respect to your time and planning/processes/budget/endpoints.
