RE: [fw-wiz] Firewalls Compared

• Previous message: Crispin Cowan: "Re: [fw-wiz] Firewalls Compared"
• Maybe in reply to: Ben Nagy: "RE: [fw-wiz] Firewalls Compared"
• Next in thread: Ben Nagy: "RE: [fw-wiz] Firewalls Compared"
• Reply: Ben Nagy: "RE: [fw-wiz] Firewalls Compared"
• Reply: Shimon Silberschlag: "[fw-wiz] Geographically Distributed sites, layer 2 clusters and firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Tue, 29 Jun 2004 10:19:11 -0400 (EDT)

"Stiennon,Richard" <Richard.Stiennon@gartner.com> wrote:
>
> Am I the only one that sees a huge difference between an application
> proxy (ala the good old days of server based firewalls) and filters
> that are applied to payloads (ala Network Intrusion Prevention) by
> inline network devices?

Er... no? (Depending on how you define "filter.")

>
> Let's keep in mind that stateful inspection firewalls are GREAT
> security devices. They protect over 80% of enterprise networks today.

FSVO "protection." Their popularity does not, of necessity, make them
the best solution.

> SQL Slammer cannot get through a firewall with port 1443 blocked. Same
> for MSBlaster, Welchia etc.

Those can't get through my little NAT DSL router at home, but I hardly
refer to that NAT box as a "firewall."

>
[snip]
>
> Worms generally target Microsoft vulnerabilities. Are you going to
> write application proxies for Exchange? ASN 1? Does anyone other than
> MSFT even know how these applications communicate? Not.

Which is as good a reason as any other, perhaps a better reason, not to
allow such things through whatever you use that passes as a firewall.

What an... interesting argument. It's a proprietary protocol that we
do not, and likely can not, know anything about, so we just let it in
and hope for some internal, after-the-fact defenses to deal with it?

> But, you know
> what the vulnerability looks like and could look at traffic and
> identify malicious activity even without signatures.

I'm trying to reconcile "know what the vulnerability looks like" with
"even without signatures," and failing miserably.

> The future of
> network security is all about inspecting traffic. It is not about
> application proxies.

In your opinion. Personally, I prefer defense-in-depth. Try to keep
it from getting in, in the first place. Assume something will defeat
my border defenses, and so harden everything inside as best I can [*]
and deploy internal detection and reactive defenses.

[*] "As best I can" amounts to what's technically possible, as much
    as possible w/o crippling usability beyond tolerable limits.

Without meaning to be insulting, really, I do have to say that if
Mr. Stiennon's position is common amongst the analysts at Gartner,
that organization's cache' has just taken a *major* hit in my eyes.

Perhaps I'm missing/misunderstanding something. If so: Somebody
kindly enlighten me?

Jim
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Crispin Cowan: "Re: [fw-wiz] Firewalls Compared"
• Maybe in reply to: Ben Nagy: "RE: [fw-wiz] Firewalls Compared"
• Next in thread: Ben Nagy: "RE: [fw-wiz] Firewalls Compared"
• Reply: Ben Nagy: "RE: [fw-wiz] Firewalls Compared"
• Reply: Shimon Silberschlag: "[fw-wiz] Geographically Distributed sites, layer 2 clusters and firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]