RE: [fw-wiz] Multiple firewalls from different manufactureres
From: Paul D. Robertson (paul_at_compuwar.net)
Date: 01/29/05
- Previous message: Marcus J. Ranum: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
- In reply to: R. DuFresne: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
- Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "R. DuFresne" <dufresne@sysinfo.com> Date: Sat, 29 Jan 2005 10:06:55 -0500 (EST)
On Fri, 28 Jan 2005, R. DuFresne wrote:
> Because changes are made without any real audit taking place, and no
> overseeing done by the security group, what we catch are those changes
> that break application connectivity. What we totally miss are those
> changes that break security.
Indeed, that's one of the reasons I see great promise in Algorithmic
Security's Firewall Analyzer product[1]. That's also why I believe that
configuration review is vastly superior to penetration testing. A
pen-test *may* uncover a generic hole, but isn't likely to find a specific
one, while validating the configuration should always work.
Ruleset changes over time should be documented, that's the only way to get
good accountability.
While I'm mentioning products, Clavister's[2] client forces version
control on config filesyou to keep for strong audit. It's a text file, so
diff works fine for change reporting..
> Shimming in security is tough enough, without having to try and shim it in
> without taking it into consideration at the beginning of the project,
> mostly due to lack of a top down management approach towards security,
> which despite all the press claiming security is growing by leaps and
> bounds, remains far too common in this state of the game.
Well, it's top-down in that they now say "We need security so we don't get
thrown in jail!" ;)
The interesting thing to me is that the regulatory environment may force
real discipline in organizations where firewall rule changes were known,
executed and understood by only one person- the one making the changes.
The "good old days" of "Hold on a sec- ok it's updated" may be vanishing
more quickly than we're all prepared for.
Paul
[1] Disclaimer: I'm on their Technical Advisory Board. Contact me
off-list for further discussion.
[2] Disclaimer: I use their firewall at home. Contact Mike off-list for
further discussion ;)
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Marcus J. Ranum: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
- In reply to: R. DuFresne: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
- Next in thread: Marcus J. Ranum: "RE: [fw-wiz] Multiple firewalls from different manufactureres"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
