RE: [fw-wiz] so much for "deny all"
From: Tina Bird (tbird_at_precision-guesswork.com)
Date: 06/10/05
- Previous message: Rik Schneider: "RE: [fw-wiz] Host based vs network firewall in datacenter"
- In reply to: Dave Piscitello: "Re: [fw-wiz] so much for "deny all""
- Next in thread: Dave Piscitello: "RE: [fw-wiz] so much for "deny all""
- Reply: Dave Piscitello: "RE: [fw-wiz] so much for "deny all""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <dave@corecom.com> Date: Fri, 10 Jun 2005 14:51:24 -0700
> On 7 Jun 2005 at 9:41, Tina Bird wrote:
>
> > >From the TechTarget coverage of the Gartner Security Summit this
> > >week:
> >
> > "Next generation firewalls that do deep-packet inspections from
> > vendors like Juniper Networks, Check Point and Fortinet employ a
> > heuristics engine and allow all network traffic and behavior, except
> > those which policy says it must block. Most enterprises, however,
> > refresh their firewall purchases on a three- to five-year cycle and
> > that makes it challenging to synch new features."
> From: Dave Piscitello [mailto:dave@corecom.com]
>
> This is very good publicity for firewall vendors not in the list who
> provide a default "DENY ALL" in policy configuration. I'll enjoy
> tormenting friends at these companies over this:-)
I guess that's one way to look at it. I'd like to think that folks at those
companies will be cringing, and refusing to pay for multi-martini lunches
(if anyone in this politically correct time still indulges in multi-martini
lunches). Although I wonder how many of the companies that ship with a "deny
all" config will now be accused of being out of touch with the real world,
or at least the real world as defined by Gartner.
> But the 2nd statement is very odd, don't you think? Not only is it
> remarkably difficult to parse, but it flies in the face of (my)
> experience.
>
> Taking the source with a grain of salt, I find it hard to believe
> that most enterprises change security vendors every five years.
Well, the company at which I did my first firewall install replaced the
whole shebang within a year of my leaving, claiming that my rock-solid
Sidewinder infrastructure was too hard to manage, and putting in PIXen
instead. But I agree that *most* places don't do that. We're generally
content with the devil we know.
> Perhaps 100% of my clients buck this trend. Upgrades, yes.
> Forklifting firewalls? I have yet to see this except in circumstances
> where the prior firewall failed pitifully in enforcing policy.
I have seen several organizations replace firewall or VPN architectures, and
almost never for a technical reason - almost always for political or
financial ones.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Rik Schneider: "RE: [fw-wiz] Host based vs network firewall in datacenter"
- In reply to: Dave Piscitello: "Re: [fw-wiz] so much for "deny all""
- Next in thread: Dave Piscitello: "RE: [fw-wiz] so much for "deny all""
- Reply: Dave Piscitello: "RE: [fw-wiz] so much for "deny all""
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
