-----BEGIN PGP SIGNED MESSAGE----- >>>>> "Keith" == Keith Moore <moore@cs.utk.edu> writes: Keith> OTOH, the network cannot expect hosts to protect it; it must Keith> protect itself. that's why I say that the primary purpose of Keith> firewalls is to protect the network. if the firewall can also Keith> provide security in depth for hosts, that's useful, but that's Keith> just a backup - there's no way to have confidence in the Keith> security of a host that relies on firewalls as its primary means of Keith> protection. As former lead developer at an early firewall company, who made lots of money selling firewalls before the age of the LookOut-Virus, I concur with Keith. Firewalls are about *belt and suspenders* They can provide auditing functions as well (and I still think that this is the main argument for them), but firewall vendors have screwed that up so badly, that this is now better done by dedicated IDS. ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Finger me for keys iQCVAwUBPvTOboqHRg3pndX9AQGFgAQA1m1XL2TgV/9FX8GPLvzZe7Wr8qW1fsF5 GDsNcXTTlZDu0f7l4Ov/fXDzyRhWzLyo0J1Im2SVJ1Bf40JtRp2SqMYbbtS9IO8a YHc6S6vjSE0UQpXwbfsFWSmqYXO2FBVQ1DCTfeelkF9vZv0eJTRxh6i3Z8hCCLaq RgP+FILHAxc= =1VN1 -----END PGP SIGNATURE-----