Preview of next week's article on DMZs
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 24 Nov 2005 11:17:27 -0600
Not all DMZs are Created Equal -- Why You Need Perimeter Firewalls and
Bullet Proof Vests
I had to find out what the deal was with the change in recommendation,
so I was able to buttonhole a few Exchange guys who might be able to
provide a rationale for their decision. Their collective opinion was
that "you have to make cheese out of the firewall to allow intradomain
communications, or use an IPSec tunnel through the firewall, so there's
no sense in having a firewall there at all".
What? There's no sense in having a firewall at all? That's like a cop
saying "I don't wear a bullet proof vest when I'm on the streets, since
they can just shoot me in the head". Yes, the scumbag could shoot you in
the head, but the bullet proof vest provides a significant level of
protection for a large area of physical vulnerability. No, it won't
protect you from head shots, neck shots, bleed outs from femoral artery
leg shots, or pulmonary emboli secondary to shattering of the tibia. But
the bullet proof vest still protects you from all the bad things that
can happen if you weren't wearing a vest, such as shots through the
heart, lungs, liver, kidney, stomach, pancreas and intestines.
I ran this analogy through my ex-cop wife, Deb Shinder, and asked her if
there were cops who thought the same way as the Exchange team in terms
of their firewall recommendations for front-end and back-end Exchange
Servers. She said are rookies who think the same way as the Exchange
team, but they usually don't last long. They either catch a slug in
their center mass or they see their partner get hit. Either way, they
don't hit the streets again without their own "personal firewall".
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
**Who is John Galt?**
Other related posts:
- » Preview of next week's article on DMZs
