Re: [fw-wiz] Evolution of Firewalls
From: Dave Piscitello (dave_at_corecom.com)
Date: 03/08/04
- Previous message: Kevin Miller: "[fw-wiz] Checkpoint Interspect"
- In reply to: Frederick M Avolio: "Re: [fw-wiz] Evolution of Firewalls"
- Next in thread: Frederick M Avolio: "Re: [fw-wiz] Evolution of Firewalls"
- Reply: Frederick M Avolio: "Re: [fw-wiz] Evolution of Firewalls"
- Reply: ArkanoiD: "Re: [fw-wiz] Evolution of Firewalls"
- Reply: Marcus J. Ranum: "Re: [fw-wiz] Evolution of Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Frederick M Avolio <fred@avolio.com>, <skpoo@pacific.net.sg>, <firewall-wizards@honor.icsalabs.com> Date: Mon, 08 Mar 2004 14:37:02 -0500
Stateful inspection, deep packet inspection, application protection,
application intelligence, application aware ...
Lots of names for the same security functionality: examining application
headers and application data streams for attacks and blocking them. You can
and some vendors still do this using proxy architecture, while some use the
same stateful packet inspecting methods they used to examine network
protocol headers.
The most secure firewall? Probably has less to do with proxy vs. stateful
inspection than policy, implementation/configuration, and the admin at the
policy console.
At 08:48 PM 3/7/2004 -0500, Frederick M Avolio wrote:
>At 11:56 PM 3/4/2004 +0800, skpoo@pacific.net.sg wrote:
>>... Our team is currently debating if Stateful Deep Inspection firewall
>>is going be the new technology to replace the Application Proxies
>>firewall which deem to be most secure currently. ...
>
>At the risk of being obvious -- or worse, being called a dinosaur :-), It
>depends. Do you care more about usability or security? When push comes to
>shove is it more important to never stop a connection at the risk of the
>possibility of something bad slipping through? It really is as simple as
>that. I tell people in one of my classes, you hear about it if you
>misconfigure your firewall to reject a required action, but will rarely
>hear about if if you allow too much through. (I stated it as "You always
>hear about conservative errors but rarely about liberal ones," but that
>could be taken wrong now-a-days.)
>
>Fred
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Kevin Miller: "[fw-wiz] Checkpoint Interspect"
- In reply to: Frederick M Avolio: "Re: [fw-wiz] Evolution of Firewalls"
- Next in thread: Frederick M Avolio: "Re: [fw-wiz] Evolution of Firewalls"
- Reply: Frederick M Avolio: "Re: [fw-wiz] Evolution of Firewalls"
- Reply: ArkanoiD: "Re: [fw-wiz] Evolution of Firewalls"
- Reply: Marcus J. Ranum: "Re: [fw-wiz] Evolution of Firewalls"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
