On Fri, Feb 29, 2008 at 18:56:38 +0000 (+0000), Isaac Close wrote:
[snip]
"word-wrap" (cough)
> Without harping on too much about this subject, i was wondering
about other peoples opinions about the need for a BIG SHINEY EXPENSIVE
EVERYTHING WILL BE OK BS FIREWALL BOX, and perhaps to know what other
people are using.
If it's a big deployment, then sure, filter at the hardware level, not
only does it offload some work from your servers, but it gives
additional security incase there is a bug in iptables.
For everything else, I just use iptables (firehol in fact), free,
effective, easy to configure.
There is much to be said for "defence in depth" though depending on
your paranoia. TBH multiple levels of firewalls (which ideally would
be different makes) aren't likely to be the biggest weak spot. Much
more likely are unlocked-down apps, config files with passwords being
world readable, DB grants being too permissive, ...
Adrian
--
Email: adrian@??? -*- GPG key available on public key servers
Debian GNU/Linux - the maintainable distribution -*-
www.debian.org
