searchsecurity.techtarget.com — For years, infosec experts have called the firewall a critical ingredient to security, whether it's in a large enterprise or on a home PC. But the San Diego Supercomputer Center (SDSC) has defied that logic with what some would consider surprising success.
Jun 5, 2006 View in Crawl 4
mishleyJun 5, 2006
If the added value doesn't outweigh the costs it seems to me that it would make sense for even an organization as tightly-controlled as the SDSC would gain more than they would lose on the installation of a good firewall at borders.That said, the comments about a firewall being more trouble than it would be worth, and then going into what a detailed and robust configuration management environment that they have in place don't necessarily ring true with me. If a good CM environment is in place, then a simple thing like managing firewalls shouldn't dissuade them from implementation.Also, there is such a thing as a zero-day exploit. In which case a firewall and IDS would be irreplaceable, whereas an Incident Response involving the reconfiguration of host-based settings on 6,000 nodes would not be immediate or maybe even effective.
tweaktJun 5, 2006
>> Firewalls and NATs are two completely different things. Someone with even a basic >> level of skill can traverse a NAT device with ease and access the machines located >> behind the NAT as if they are connected directly to the Internet.Uhh, no sorry. Wrong!Basic skill level? So you've found a way to somehow extract information from my firewall's state table (src and dst host address and ports) and trivially spoof packets into an established TCP connection, by guessing cryptographically secure randomly incrementing TCP sequence numbers? And you consider that, basic skill level?Or it might just be that you don't have a clue what you're talking about.
odyss3yJun 5, 2006
people should not comment if they dont have an understanding of what is being discussed. for example, one should be able to tell the difference between a NAT, a firewall, and a router.one of the keys to a successful security practice is the defense in depth approach as mentioned previously. 99.999% of hack attempts will be script kiddies which might end up doing a DDOS or something else annoying. its that 1 user who can get around all the basic defenses setup that will basically steal money that needs to be defended which is why technology like IDS/SIM/SEM/etc exist.
criticJun 5, 2006
Just wondering how many Warez and Pr0n sites the San Diego Supercomputer Center (SDSC) visits in a week.
Closed AccountJun 5, 2006
dig for challenging conventional wisdom: thinking outside the (firewall)box. However, a strategy of having basically a firewall on each system means administration by a factor of x number of hosts; notice he makes clear the idea of maintaining 'patches' (times x number of hosts). Also bandwidth is being used by the given packet hacks coming into the network even if dropped at the host: kinda like having the front door open and turning strangers away may get you by, perhaps if you have big gun in your hand, but your carpet is going to be worn thin quickly...