"Instead, the OS should be locked down, as should the apps/services, and policy should be enforced via stateless ACLs in hardware-based routers." It still amazes me how many people don't do this, but instead rely on their firewall to protect them. Also in my experience as someone mentioned you can run Windows Servers without a firewall on the internet, but locking them down is 100 times harder than locking down linux boxes. The NANOG thread is certainly worth reading if you have the time. -----Original Message----- From: nznog-bounces(a)list.waikato.ac.nz [mailto:nznog-bounces(a)list.waikato.ac.nz] On Behalf Of Dobbins, Roland Sent: Thursday, 25 February 2010 7:04 p.m. To: nznog Subject: Re: [nznog] Stateful firewalls On Feb 25, 2010, at 1:06 PM, Gerard Creamer wrote:
Has some major thing happened and I missed it in terms of server security, or am I reading your statement incorrectly?
Stateful firewalls make no sense whatsoever in front of servers, since every incoming packet is unsolicited. Instead, the OS should be locked down, as should the apps/services, and policy should be enforced via stateless ACLs in hardware-based routers.
-----------------------------------------------------------------------
Roland Dobbins