-------- Original Message --------
From: jseymour@linxnet.com (Jim Seymour)
To: firewall-wizards@listserv.cybertrust.com
Subject: Re:[fw-wiz] How automate firewall tests
Date: Wed Aug 23 17:49:46 2006

> "R. DuFresne" wrote:
>> On Fri, 18 Aug 2006, Keith A. Glass wrote:

> [snip]
>>> Well. . .we packet-filter at the border routers and switches prior to the
>>> border firewall to take some of the load off. . .but then ALL our routers
>>> are
>>> set to packet filter as an additional security measure. . .

>> It might amaze a number of folks to learn how uncommon this setup is these
>> days.

> [snip]
> In a way it amazes me, and in a way it does not. It amazes me in that
> it's such a logical thing to do, I'm at a loss as to understand why
> somebody wouldn't. (I'm speaking in general terms. I'm sure there are
> perfectly valid exceptions.) It does not amaze me in that I've come to
> the conclusion that competence is (increasingly) a rare thing.
> The router needs to protect itself. The router can also aid in the
> protection of the firewall. The router can also take some of the load
> off the firewall.

Like everything else, you have to plan this well. If you end up with
too many redundant rules on different network equipment, you give
yourself a management headache.

Haim (Howard) Roman
Computer Center, Jerusalem College of Technology

firewall-wizards mailing list