Odd.. I thought we had a clue about security. The guys at SANS just
gave us a 'Technology Leadership Award'. I just walked across the hallway,
and I didn't see any firewall in our router swamp.
I guess because we don't have a firewall, we don't have a clue. Or because
we don't have a firewall, we can't deploy this technology. Somehow, that
doesn't smell right.
If your OS is hardened enough, a firewall may not be appropriate.
I am not saying that you don't have a clue if you don't utilize a firewall.
I AM saying that if you have Internet access to your network, a firewall is
extremely important. It isn't complete, in and of itself. OS hardening is
still very important, as are other technologies (as necessary to facilitate
application needs).
I understand your point that if your OS is perfectly hardened, then a
firewall
isn't going to add any *extra* protection. You miss the point, though. You
can prevent
unnecessary processor and bandwidth utilization on the server by filtering
it out at the perimeter of your network. You might not get a security
advantage
if you are an OS hardening god, but you would CERTAINLY get performance
increases
on your LAN.
If you are utilizing pure access lists on routers for perimeter security,
then
you are assuming that this technology is as adept at securing a network as
port filters combined with Network Address Translation or cicuit proxying.
Don't
make that assumption.
Brian