On Thu, 2 Sep 2004, Jonathan Rickman wrote:
> By far, the best compromise is to filter at the customer end point. At least
Some filtering there is "best," but endpoint compromise and out of zone
control don't make it always the "best" place...
> one fairly large ISP now ships a broadband gateway with the firewall
Who? Which gateway? Configured with what policy?
> preconfigured. The customer is free to alter the filters if so inclined, but
> we all know that the default configuration will remain in place 99.9% of the
> time. There is a risk of tech support calls with this just like any other
> setup. However, this policy seems to me to be the most equitable across the
That pretty much rocks.
> board. The trick is getting the proper ruleset in place. For instance, the
> aforementioned ISP did not enable outbound TCP 1494, which caused a problem
> for telecommuters using Citrix without going through CSG. With the proper
> research, this would have been avoidable. They also failed to put a workable
> management system in place to remedy this problem. Both mistakes you should
> take note of.
Heck, I'm floored that someone's doing egress filtering by default! I
would like to know who, their praises should be sung from the highest
peaks!
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul_at_compuwar.net which may have no basis whatsoever in fact."
probertson_at_trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Sep 02 2004
Intro
