RE: [fw-wiz] Evolution of Firewalls

From: Melson, Paul (
Date: 03/08/04

  • Next message: Dave Piscitello: "Re: [fw-wiz] Evolution of Firewalls"
    To: <>, <>
    Date: Mon, 8 Mar 2004 16:35:49 -0500

    One thing that I would caution you about is to not confuse conceptual
    access control methodologies for the actual firewall products that go in
    your rack. There is a great leap from theory to implementation, and an
    even greater leap from marketing hype to actual product specifications
    and capabilities. And both of those leaps are the stuff of proprietary
    code and trade secrets.

    You will save a lot of time by first defining the capabilities and
    requirements for your corporate firewall, then evaluating individual
    products against that criteria. If you decide which products to
    consider based on which conceptual methodology their marketing
    literature invokes, you run the risk of ending up with a product that
    meets neither your needs nor your expectations.


    -----Original Message-----
    Hi, I am currently evaluating several types of firewalls for the

    Our team is currently debating if Stateful Deep Inspection firewall is
    going be the new technology to replace the Application Proxies firewall
    which deem to be most secure currently.

    I personally feel that Deep Inspection firewall is less reliable as we
    know that it only blocks what is known to be bad. This seems to be less
    effective and become an never-ending arm race where Deep Inspectioin
    firewall requires the most updated bad list all the time.

    On the other hand, Application Proxies firewall only allows what is
    known to be good. This makes the defence become more effective as we
    know good things do not change as frequently as bad things.

    Any input would be very much appreciated.
    firewall-wizards mailing list

  • Next message: Dave Piscitello: "Re: [fw-wiz] Evolution of Firewalls"