RE: [fw-wiz] so much for "deny all"

From: Paul Melson (
Date: 06/14/05

  • Next message: Dave Piscitello: "RE: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"
    To: <>
    Date: Tue, 14 Jun 2005 08:54:47 -0400

    I think that Gartner's assertion that these firewalls "...allow all network
    traffic and behavior..." is likely to be a misstatement, at least insofar as
    these devices are either a) intended to be deployed behind an existing
    firewall with a typical ACL/NAT policy or b) have typical ACL and NAT
    capabilities in addition to [meaningless buzzword omitted] features. Either
    way, they can still be configured with a default deny-all rule.

    I think it's much ado about nothing (both the panic and the hype). The real
    issue is the same issue that's been plaguing networks since the first
    "stateful" firewalls shipped to customers: it is easier to adopt a sloppy
    trust model than it is to discover, document, and enforce a strict traffic
    policy. Despite the obvious problems firewall vendors are ultimately just
    vendors. They must move units, and therefore their products have features
    that appeal to our lazy networks and lax policies.


    -----Original Message-----
    Subject: Re: [fw-wiz] so much for "deny all"

    From the TechTarget coverage of the Gartner Security Summit this week:
    "Next generation firewalls that do deep-packet inspections from
    vendors like Juniper Networks, Check Point and Fortinet employ a
    heuristics engine and allow all network traffic and behavior, except
    those which policy says it must block. Most enterprises, however,
    refresh their firewall purchases on a three- to five-year cycle and
    that makes it challenging to synch new features."

    firewall-wizards mailing list

  • Next message: Dave Piscitello: "RE: [fw-wiz] Ok, so now we have a firewall, we're safe, right?"