Keith, > Keith Moore wrote: > I believe you should buy or write applications that ensure their > own security and protect the security of the machines on which > they are hosted. I believe you should buy computing platforms > that provide facilities to isolate applications from one another, > so that a single compromised application doesn't compromise your > entire platform. On this one half of the mailing list can read what's in the back of your mind, that can be summarized in a few words: Windows is not a real OS. Don't try to say that's not what you think, everyone would laugh. Keith, we are building the Internet for everyone, including the innocent users that access a web server across the world that happens to run IIS. Even you think that the person that chose to implement IIS on top of w2k is stupid because s/he had half a brain s/he would have chosen apache on top of unix, that's not the user's problem and if there is something I can do as the firewall guy to shield that IIS server, I will. > read what I wrote again. I did and I pasted it again: > the reason I disagree is that fundamentally, there's no way > that a firewall can reliably distinguish legitimate traffic > from illegitimate traffic, Yes there is a way as I just demonstrated; a firewall with up-to-date code can reliably distinguish legitimate traffic from illegitimate traffic the same way an anti-virus can reliably detect viruses. And if Microsoft sucks as much as you say it is fortunate that it can, because a web server compromised by a nasty worm is bad for the entire community. As of myself, I try to do my part of keeping a clean Internet, which is configuring firewalls in front of web servers, instead of saying that people should buy web servers that can't be hacked. Michel.