On Fri, 28 Mar 2008 13:53:06 +0000 Chris G cl@isbd.net allegedly wrote:
On Fri, Mar 28, 2008 at 01:12:44PM +0000, mbm wrote:
Ummm - that's what I said.
... and it's what I thought I originally said too! :-)
Yes, I agree. The only difference between us is that I would insert an application layer proxy between the router and the rest of the internal network. Routers are good at taking decisons based on packet contents. Decisons based on the contents higher up the stack are best left to devices which can intercept, and understand, the application layer protocols (so you leave mail routing decisons to mail servers, and web routing decisions to web proxies).
None of the places I know about have a proxy as such. It's surely not normal to have one on a small home/SoHo LAN, you just tell all systems (probably automatically) what their default route is and that's it.
Maybe not at home but....
We don't have one at work either.
I find that surprising. Certainly my experience is the opposite (my background is government). But even a relatively small network would benefit from the kind of defense in depth provided by:
packet filtering router - application proxy - client side AV and firewall.
If you don't have a proxy (or application layer firewall with proxy capability) how can you enforce a web usage AUP? And where would you put your web sheepdip?
Mick ---------------------------------------------------------------------
This is a Microsoft free zone. Please do not send me Microsoft Word Documents. For some reasons, see:
http://www.gnu.org/philosophy/no-word-attachments.html http://www.goldmark.org/netrants/no-word/attach.html ---------------------------------------------------------------------