Quoting Steffen Dettmer (steffen@dett.de) on Fri, Mar 02, 2001 at 10:55:53AM +0100:
I recommend to use kernel 2.2 for first and 2.4 for second packet filter. If a attacker could use a kernel bug to bypass the firewall, the other kernel release usually should not have the same bug (or combine linux and BSD or so).
Using two different technologies is theoretically quite a bit better. I would use it on my own systems any time. But only if you can get admins that are proficient in both. Unfortunatley, thare are not enough of those. At most customer sites I see, I start cheering if I see someone competent in at least on technology :-((
an additional problem with stateful filters is that people think they have no a magic bullet for security
Well, but that's the same with simple firewalls and virus scanner ("I can open all attachments, I have a virus scanner!").
Yup! So let's reduce the number of magic bullets and try to educate as many as possible.
single line of defense. The best firewall setup is still and will still be in 5 years from now:
<external-router-with-static-ACLs> | <Application-Gateway-Firewall>------------------<DMZ> | <internal-router-with-static-ACLs>
Well, but in practise there're still a lot of protocols without good and secure proxies, ain't? HTTP, Mail, DNS and others are no problem, but maybe SMB or NFS (yep, I know VPN :)).
Hmm, then rething the companies overall policies. Either they do want security or not. SMB or NFS or any oth the other totally uncontrollable protocols with an external network is just no good security practice.
lessons learned: time changes technology. it does not change concepts. Worked for me for the last 10 years
afx -- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!