RE: [fw-wiz] Firewalls Compared
From: Jim Seymour (jseymour_at_linxnet.com)
To: firstname.lastname@example.org Date: Tue, 29 Jun 2004 10:19:11 -0400 (EDT)
"Stiennon,Richard" <Richard.Stiennon@gartner.com> wrote:
> Am I the only one that sees a huge difference between an application
> proxy (ala the good old days of server based firewalls) and filters
> that are applied to payloads (ala Network Intrusion Prevention) by
> inline network devices?
Er... no? (Depending on how you define "filter.")
> Let's keep in mind that stateful inspection firewalls are GREAT
> security devices. They protect over 80% of enterprise networks today.
FSVO "protection." Their popularity does not, of necessity, make them
the best solution.
> SQL Slammer cannot get through a firewall with port 1443 blocked. Same
> for MSBlaster, Welchia etc.
Those can't get through my little NAT DSL router at home, but I hardly
refer to that NAT box as a "firewall."
> Worms generally target Microsoft vulnerabilities. Are you going to
> write application proxies for Exchange? ASN 1? Does anyone other than
> MSFT even know how these applications communicate? Not.
Which is as good a reason as any other, perhaps a better reason, not to
allow such things through whatever you use that passes as a firewall.
What an... interesting argument. It's a proprietary protocol that we
do not, and likely can not, know anything about, so we just let it in
and hope for some internal, after-the-fact defenses to deal with it?
> But, you know
> what the vulnerability looks like and could look at traffic and
> identify malicious activity even without signatures.
I'm trying to reconcile "know what the vulnerability looks like" with
"even without signatures," and failing miserably.
> The future of
> network security is all about inspecting traffic. It is not about
> application proxies.
In your opinion. Personally, I prefer defense-in-depth. Try to keep
it from getting in, in the first place. Assume something will defeat
my border defenses, and so harden everything inside as best I can [*]
and deploy internal detection and reactive defenses.
[*] "As best I can" amounts to what's technically possible, as much
as possible w/o crippling usability beyond tolerable limits.
Without meaning to be insulting, really, I do have to say that if
Mr. Stiennon's position is common amongst the analysts at Gartner,
that organization's cache' has just taken a *major* hit in my eyes.
Perhaps I'm missing/misunderstanding something. If so: Somebody
kindly enlighten me?
firewall-wizards mailing list