What do you consider to not be a toy f/w?
Something that doesn't run on the host that it's trying to protect and hence
absolutely cannot *guarantee* any kind of proper outbound filtering no
matter what you do would be a decent start.
Robert:
Valid point, except for pragmatics.
I have used MS's ISA product, and have complained loudly about using the
MS's Small Business Server product with ISA running on the SBS server, when
ISA should be on a dedicated perimeter device!
But, it is not practical to expect end users to run a dedicated proxy server
or to be knowledgeable of their details. Therefore, we have "toy" f/ws
that IMO do provide value, even though they are less than ideal.
Also, users may not be willing to take a dedicated proxy server to a WiFi
hotspot.
Re: absolutely cannot *guarantee* any kind of proper outbound filtering no
matter what you do
You expectations are higher than mine. IMO, all software is suspect to some
degree eventually, that is why one should have multiple backups.