still, pretending that a firewall can make up for a lack of security on
the host (ANY host) or in the apps is simply unrealistic, no matter who
wrote the host OS.
That statement is simply not true. Based on policies that reject inbound
connections to all computers except those carefully hardended and
sequestered an their own 'DMZ' will dramatically reduce the potential of
compromize from many risky applications ranging from TELNET on Solaris to
SMB on Windows.
actually, it sounds like you're agreeing with me. you're having the firewall
completely block traffic except to those hosts that you trust to provide
adequate security. my only question would be whether there are threats behind
your firewall, e.g. any machine that runs windows and is used to read email.
More sophisticated firewalls examine data flow for viruses, and other
problematic code.
Securing networks and hosts requires a whole quiver of arrows. A competent
firewall is a significant set of arrows but can't solve the whole problem.
But it will makeup for many security flaws in the hosts and/or
applications.
yes indeed. my point is that it's still not good enough to make those hosts
secure. and sometimes those sophisticated firewalls break protocol
interoperation even when they're trying to permit the traffic.
Potential problems can be reduced to almost 0 if careful
users avoid risky behaviors and live behind a solid firewall.
Sure there will be things they can't do, but there are a wealth of things
then can safely do thanks to the Internet accessed thru a firewall.
all I can say is I'm glad I don't have to depend on you to secure my networks.
Keith