RE: [fw-wiz] so much for "deny all"
From: Paul Melson (psmelson_at_comcast.net)
To: <firstname.lastname@example.org> Date: Tue, 14 Jun 2005 08:54:47 -0400
I think that Gartner's assertion that these firewalls "...allow all network
traffic and behavior..." is likely to be a misstatement, at least insofar as
these devices are either a) intended to be deployed behind an existing
firewall with a typical ACL/NAT policy or b) have typical ACL and NAT
capabilities in addition to [meaningless buzzword omitted] features. Either
way, they can still be configured with a default deny-all rule.
I think it's much ado about nothing (both the panic and the hype). The real
issue is the same issue that's been plaguing networks since the first
"stateful" firewalls shipped to customers: it is easier to adopt a sloppy
trust model than it is to discover, document, and enforce a strict traffic
policy. Despite the obvious problems firewall vendors are ultimately just
vendors. They must move units, and therefore their products have features
that appeal to our lazy networks and lax policies.
Subject: Re: [fw-wiz] so much for "deny all"
From the TechTarget coverage of the Gartner Security Summit this week:
"Next generation firewalls that do deep-packet inspections from
vendors like Juniper Networks, Check Point and Fortinet employ a
heuristics engine and allow all network traffic and behavior, except
those which policy says it must block. Most enterprises, however,
refresh their firewall purchases on a three- to five-year cycle and
that makes it challenging to synch new features."
firewall-wizards mailing list