Re: [fw-wiz] Use of firewalls in networks of today (Was: Re: Setting up H323 IP telephony etc )

From: Mikael Olsson (mikael.olsson_at_clavister.com)
Date: 09/01/03

  • Next message: Jonas Anden: "[fw-wiz] Followup: An interesting VPN problem" 
    To: "Marcus J. Ranum" <mjr@ranum.com>
Date: Mon, 01 Sep 2003 16:58:53 +0200

    "Marcus J. Ranum" wrote:
    >
    > This whole firewall "thing" has become an exercise in wishful-thinking
    > "have your cake and eat it too" -- and in the long run it's not going to
    > work. It only works now because the hackers aren't as smart as
    > they and the media think they are.

    That would be the curmudgeon view, yes, and I'll confess to being
    guilty of it on some of my darker days.

    The important difference is that firewalls (as in "the box that all
    traffic to the Internet has to pass through") can no longer be used
    for risk elimination for meaningful values of "network traffic".
    If, indeed, they ever could. Now, it's about risk mitigation, and
    it's just one tool of many in securing your network (perimeter).

    But do people realize this? Heck no.

    - "My web server got infected with Nimda! Your firewall sucks!"
    - "Um, no. Look, none of your internal systems got hit in turn by
       the web server. The firewall did the job you configured it
       to do. We explain this in detail in chapter 1 in the glossy
       user's guide."
    - "%#@&¤%&@#% I want my money back!" 

    -- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
  • Next message: Jonas Anden: "[fw-wiz] Followup: An interesting VPN problem"

    Relevant Pages

    • Re: Firewall on server itself
      ... Perhaps the iptables could defend against an intruder who is already ... Firewall vender specific vulnerabilities ... >> be configured to protect the web server as well other computers on ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
      (Security-Basics)
    • Re: [fw-wiz] Using SSL accelerators in firewalls
      ... It also depends on what you're using your SSL for, and how tightly you can couple ... your firewall with your web application. ... web server don't have to be very aware of each other. ... >> lost in the process and the security of transactions eroded. ...
      (Firewall-Wizards)
    • Re: disconnect a hacker
      ... My Web server station is right next ... my attention divided by security concerns... ... see an IP connected to port 80, ... I've been forwarding my firewall logs to my ISP, ...
      (alt.computer.security)
    • Re: Web server behind Symantec Enterprise Firewall
      ... I've published a virtual IP at the Firewall to which i route the http ... NAT rule AccesoServer was chosen, but client transparency is ... Since the web server is on the LAN, you shouldn't have to add any route ...
      (comp.security.firewalls)
    • Re: security advice (possible hacker activity?)
      ... > trojan or worm is installed onto the web server. ... > itself through the firewall to an email user on a PC, ... > the IIS web server. ... IWAM runs any site with Access or SQL. ...
      (microsoft.public.inetserver.iis.security)