Quote from: DeltaZero

Also:

Most security updates - if you take the time to read them - prevent remote code execution.

Firewalls at the perimeter wont protect you from people that bring unclean machines in or malicious users inside your network.

Who in their right mind in a corporate environment only uses a firewall to protect the perimeter?

Every one of your vlans (If you run a layer 2 network or subnet if you run on layer 3) default gateways should ideally be terminated on an interface on the firewall, desktops should be on seperate vlans to servers, services and internetworking devices.

At the very least if you dont have enough interfaces on your firewall, you should have a tight access-list on your switches to prevent any internal meddling.

Access lists on the switches and a properly designed firewall rulebase will prevent this.

All the same, there are going to be people on the same vlan/subnet - legitimatley - who could potentially exploit security holes. There is no real alternative to patching!

Im talking about enterprise class setups, not NAT devices and home firewalls.

Even the worst site I have visited has had their wireless on a DMZ off the checkpoint, and at best wireless for public internet access is handled by a totally seperate network hanging off some other part of their public address space.

In office lan wireless will be as tight as a ducks ass - mostly alvarion but cisco aeronet growing in popularity, then you have your switch access lists applied to every client also.

Im talking about enterprise class setups, not NAT devices and home firewalls.

Even the worst site I have visited has had their wireless on a DMZ off the checkpoint, and at best wireless for public internet access is handled by a totally seperate network hanging off some other part of their public address space.

In office lan wireless will be as tight as a ducks ass - mostly alvarion but cisco aeronet growing in popularity, then you have your switch access lists applied to every client also.

Totally agree - no (decent) enterprise customer would just have a firewall out to the LAN and thats it. You firewall off every section - VLANS, different departments, even between perimeter and back end exchange servers. Also the use of ASA, MARS, and IDS sensor systems make your software patches so insignificant its unreal. As for wireless Cisco and Alvarion (also Artem and the now defunct Madge) offer some pretty solid security systems. Madges offering (now bought out but still available) is incredible and will automatically detect and block any unauthorised access and also deny outgoing connections to rogue APs.