RE: [fw-wiz] so much for "deny all"

From: Paul Melson (psmelson_at_comcast.net)
Date: 06/14/05

  • Next message: Dave Piscitello: "RE: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 14 Jun 2005 08:54:47 -0400
    
    

    I think that Gartner's assertion that these firewalls "...allow all network
    traffic and behavior..." is likely to be a misstatement, at least insofar as
    these devices are either a) intended to be deployed behind an existing
    firewall with a typical ACL/NAT policy or b) have typical ACL and NAT
    capabilities in addition to [meaningless buzzword omitted] features. Either
    way, they can still be configured with a default deny-all rule.

    I think it's much ado about nothing (both the panic and the hype). The real
    issue is the same issue that's been plaguing networks since the first
    "stateful" firewalls shipped to customers: it is easier to adopt a sloppy
    trust model than it is to discover, document, and enforce a strict traffic
    policy. Despite the obvious problems firewall vendors are ultimately just
    vendors. They must move units, and therefore their products have features
    that appeal to our lazy networks and lax policies.

    PaulM

    -----Original Message-----
    Subject: Re: [fw-wiz] so much for "deny all"

    From the TechTarget coverage of the Gartner Security Summit this week:
     
    "Next generation firewalls that do deep-packet inspections from
    vendors like Juniper Networks, Check Point and Fortinet employ a
    heuristics engine and allow all network traffic and behavior, except
    those which policy says it must block. Most enterprises, however,
    refresh their firewall purchases on a three- to five-year cycle and
    that makes it challenging to synch new features."

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Dave Piscitello: "RE: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"

    Relevant Pages

    • [fw-wiz] ISP firewalling of residential customers - was - About Port Forwarding, Apache and Firewall
      ... > firewalls, and kept there. ... to protect our customers (absence of funds and man-power always figure ... policy on my residential networks. ... The big issue from a business standpoint is that popular opinion seems to ...
      (Firewall-Wizards)
    • Re: Unexplained wan/lan activity
      ... >> firewalls and networks and such. ... A little while ago I noticed wan activity going on, ... > windows try a packet ...
      (comp.security.firewalls)
    • Re: Network Design
      ... Good for VPN setups and can range from low end firewalls, for small networks, up to much bigger systems for large corporate networks. ... Modeled after the famous Black Hat event in ... Symantec is the Diamond sponsor. ...
      (Security-Basics)
    • Re: OT: Cisco Equipment
      ... I need to learn how to use some firewalls and stuff. ... Suppose you have a front door to your ... loads of networks, different infrastructures, and different systems. ... cisco box and it is definatly different!) ...
      (uk.comp.homebuilt)
    • Firewall With Best Rule Organization Metaphor?
      ... Which firewalls have the best rule organization metaphor in their GUI for ... scale their rulesets to hundreds of rules and dozens of different networks ... rules that apply to logical groups of hosts or networks (these could ... Broad rules that you establish early in the ruleset can unintentionally ...
      (comp.security.firewalls)