Stephen,
Stephen Sprunk wrote:
The biggest problem I've seen in Enterprise environments
is that people running Internet-accessible servers (e.g.
in the DMZ) often have no interest or motivation to follow
security policy; security is secondary to functionality.
Sigh. Yes; to the point that they don't even apply services packs or
patches unless they bring more functionality.
If you don't trust the owner, you have no reason to trust
the machine, and a trusted firewall is the only place left
to enforce security policies.
This is especially true in colos; not only it is simpler for me to
manage 2 firewalls instead of a farm of 300 servers but the fact of the
matter is that two thirds of this servers are colos that I don't have
control over and some of their owners are rather lame in terms of
security.
Michel.