RE: [fw-wiz] Firewalls Compared

From: Jim Seymour (jseymour_at_linxnet.com)
Date: 06/29/04

  • Next message: George Capehart: "Re: [fw-wiz] Firewalls Compared"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 29 Jun 2004 10:19:11 -0400 (EDT)
    
    

    "Stiennon,Richard" <Richard.Stiennon@gartner.com> wrote:
    >
    > Am I the only one that sees a huge difference between an application
    > proxy (ala the good old days of server based firewalls) and filters
    > that are applied to payloads (ala Network Intrusion Prevention) by
    > inline network devices?

    Er... no? (Depending on how you define "filter.")

    >
    > Let's keep in mind that stateful inspection firewalls are GREAT
    > security devices. They protect over 80% of enterprise networks today.

    FSVO "protection." Their popularity does not, of necessity, make them
    the best solution.

    > SQL Slammer cannot get through a firewall with port 1443 blocked. Same
    > for MSBlaster, Welchia etc.

    Those can't get through my little NAT DSL router at home, but I hardly
    refer to that NAT box as a "firewall."

    >
    [snip]
    >
    > Worms generally target Microsoft vulnerabilities. Are you going to
    > write application proxies for Exchange? ASN 1? Does anyone other than
    > MSFT even know how these applications communicate? Not.

    Which is as good a reason as any other, perhaps a better reason, not to
    allow such things through whatever you use that passes as a firewall.

    What an... interesting argument. It's a proprietary protocol that we
    do not, and likely can not, know anything about, so we just let it in
    and hope for some internal, after-the-fact defenses to deal with it?

    > But, you know
    > what the vulnerability looks like and could look at traffic and
    > identify malicious activity even without signatures.

    I'm trying to reconcile "know what the vulnerability looks like" with
    "even without signatures," and failing miserably.

    > The future of
    > network security is all about inspecting traffic. It is not about
    > application proxies.

    In your opinion. Personally, I prefer defense-in-depth. Try to keep
    it from getting in, in the first place. Assume something will defeat
    my border defenses, and so harden everything inside as best I can [*]
    and deploy internal detection and reactive defenses.

    [*] "As best I can" amounts to what's technically possible, as much
        as possible w/o crippling usability beyond tolerable limits.

    Without meaning to be insulting, really, I do have to say that if
    Mr. Stiennon's position is common amongst the analysts at Gartner,
    that organization's cache' has just taken a *major* hit in my eyes.

    Perhaps I'm missing/misunderstanding something. If so: Somebody
    kindly enlighten me?

    Jim
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: George Capehart: "Re: [fw-wiz] Firewalls Compared"