Firewall Wizards: Re: Antwort: Re: Antwort: Re: Facts, not Fiction

[Bennett Todd <bet () rahul net>]

On Mon, Nov 10, 1997 at 05:16:55PM +0100, Hartmut.Fehling () Hamburg-Mannheimer de wrote:
> How far DO YOU (all of you out there) trust the current products to do what
> they are supposed to do?
What they are _supposed_ to do? That's too subjective for my tastes. I
trust most of the major products out there to do what they are
documented to do, when the documentation is read with an understanding
of the strengths and weaknesses of the implementation. I _don't_ trust
them to do what their marketing claims they will do, in most cases.

As mjr said, there may be bugs --- especially Denial-of-Service bugs ---
in any of the major implementations, but they tend to be fixed quietly
by the vendor, without a big hoopola, before they ever get exploited.

> Do you cascade them with other products with a similar function to ensure
> that one bug doesn't open up all ports?
Almost always.

> Or does everyone here at least use a combination of FW-Host + securely
> configured internal Router?
I do it with a securely configured external router, and the only time I
don't do multiple-layered defense is when it's a tiny shop, whose budget
won't support a screening router, and whose internet connection hardware
can't be configured to act as one.

-Bennett