> > still, pretending that a firewall can make up for a lack of security on > > the host (ANY host) or in the apps is simply unrealistic, no matter who > > wrote the host OS. > > That statement is simply not true. Based on policies that reject inbound > connections to all computers except those carefully hardended and > sequestered an their own 'DMZ' will dramatically reduce the potential of > compromize from many risky applications ranging from TELNET on Solaris to > SMB on Windows. actually, it sounds like you're agreeing with me. you're having the firewall completely block traffic except to those hosts that you trust to provide adequate security. my only question would be whether there are threats behind your firewall, e.g. any machine that runs windows and is used to read email. > More sophisticated firewalls examine data flow for viruses, and other > problematic code. > > Securing networks and hosts requires a whole quiver of arrows. A competent > firewall is a significant set of arrows but can't solve the whole problem. > But it will makeup for many security flaws in the hosts and/or > applications. yes indeed. my point is that it's still not good enough to make those hosts secure. and sometimes those sophisticated firewalls break protocol interoperation even when they're trying to permit the traffic. > Potential problems can be reduced to almost 0 if careful > users avoid risky behaviors and live behind a solid firewall. > > Sure there will be things they can't do, but there are a wealth of things > then can safely do thanks to the Internet accessed thru a firewall. all I can say is I'm glad I don't have to depend on you to secure my networks. Keith