On Fri, 20 Jun 2003, Keith Moore wrote: > still, pretending that a firewall can make up for a lack of security on the > host (ANY host) or in the apps is simply unrealistic, no matter who wrote the > host OS. That statement is simply not true. Based on policies that reject inbound connections to all computers except those carefully hardended and sequestered an their own 'DMZ' will dramatically reduce the potential of compromize from many risky applications ranging from TELNET on Solaris to SMB on Windows. More sophisticated firewalls examine data flow for viruses, and other problematic code. Securing networks and hosts requires a whole quiver of arrows. A competent firewall is a significant set of arrows but can't solve the whole problem. But it will makeup for many security flaws in the hosts and/or applications. Potential problems can be reduced to almost 0 if careful users avoid risky behaviors and live behind a solid firewall. Sure there will be things they can't do, but there are a wealth of things then can safely do thanks to the Internet accessed thru a firewall. Dave Morris