I'll quote from Rob Thomas' excellent Secure IOS Template page
http://www.cymru.com/Documents/secure-ios-template.html
"Taking a holistic view of the challenge led to the creation of the layered
approach. In this approach, the following philosophies are applied:
1) The border router provides for protocol protection and defends itself and
the firewall.
2) The firewall provides port protection and defends itself and the host
residing behind it.
3) The end stations are configured to survive various DOS attacks as well as
to reduce the number of noxious services which might be exploited.
This results in the "funnel effect," wherein progressively less nasty
traffic comes through the overall pipe. The network is "crunchy through and
through," not just at the edges."
DC. Note that the border router blocks traffic sourced from the bogons, and
RFC-1918 address space. It can enforce the rule that outbound traffic uses
our assigned address block. (The assumption being that an internal host may
have been compromised and is spoofing its source ip.) That router can filter
traffic to ports that is (a) obviously malicious and (b) has sufficient
quantity. TCP 445 fits that description.
So we are not "double locking" - rather sharing the task among resources.
Side comment. Best to configure the firewall to deny all outbound traffic
unless explicitly allowed.
-----Original Message-----
From: Priscilla Oppenheimer [mailto:nobody@xxxxxxxxxxxxxx]
It's a good question really. How many layers of security do you add to your
perimeter and do layers really help? What are the advantages and
disadvantages of "double locking the front door" and what are some good ways
to accomplish this?
Priscilla
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=91452&t=91435
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
