Re: [fw-wiz] The Death Of A Firewall

From: Christine Kronberg (Christine_Kronberg_at_genua.de)
Date: 07/21/05

  • Next message: Paul Melson: "RE: [fw-wiz] Intel vs. special purpose FW-1 servers"
    To: firewall-wizards@honor.icsalabs.com
    Date: Thu, 21 Jul 2005 16:54:08 +0200 (CEST)
    
    

    On Mon, 18 Jul 2005, Martin Hoz wrote:
    > On 7/9/05, James Paterson <jpaterson@datamirror.com> wrote:
    >> http://www.securitypipeline.com/165700439
    >>
    >> Be interesting to get the communities take on this article.
    >>
    >
    > I'd like to raise a couple of things:
    > A) the article says " By defining simple ACLs, we further isolate our
    > backend servers" - I ask, is not an ACL a firewall after all? - Packet
    > filter, but I think it fits in the definition of a firewall.

       I disagree. A firewall is far more than a simple packet filter.
       There is whole concept to fulfil.

    > So, this makes me thing the author still thinks that some form of
    > firewall still has some use in the network, AFA I can tell
    >
    > B) "The servers and their respective applications sit in their own
    > DMZ, protected by an Application-layer firewall". So, an application
    > firewall still has some uses too...

       Yes, definitely. :-)

    > I find the article interesting but contradictory... because, if the
    > firewall is dead, how come there are still good uses to it?

       Perhaps because "a" firewall is not "the" firewall? I, too, think
       that there are several points open for discussion. I like the idea
       of thinking the internal clients as not safe and putting them on the
       same stage as the external clients.
       There was something said about that "secure OS" ... and then ADS was
       mentioned. I wonder how that is supposed to work together. Also that
       part about middleware. Most middleware implementations I'm aware of
       are a nightmare for security.

       Yet, that article gave room for thinking and rethinking.

       Have fun,

                                                         Chris Kronberg.

    -- 
    GeNUA
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Paul Melson: "RE: [fw-wiz] Intel vs. special purpose FW-1 servers"

    Relevant Pages

    • Re: software/hardware Firewall tradeoff
      ... just there are two options (Firewall: ... ZA is not a FW it's just a machine level packet filter. ... The NAT router for home usage is not a FW either. ... If the other program needs ports open on the router, ...
      (comp.security.firewalls)
    • Re: Firewall etc
      ... I look at the log on a FW or personal packet filter to view unsolicited inbound packets that have been blocked and outbound packets being send out due to a solicitation or no solicitation. ... company's firewall offers me better protection and an opportunity to ... I can do the same thing with the Vista packet filter, that is, to create filtering rules for inbound or outbound packets, based on port, protocol, IP or subnet. ... so they can benefit from the higher forms of protections these ...
      (microsoft.public.windows.vista.security)
    • Re: software/hardware Firewall tradeoff
      ... just there are two options (Firewall: ... ZA is not a FW it's just a machine level packet filter. ... The NAT router for home usage is not a FW either. ... If the other program needs ports open on the router, ...
      (comp.security.firewalls)
    • Re: software/hardware Firewall tradeoff
      ... just there are two options (Firewall: ... The NAT router for home usage is not a FW either. ... Many NAT home routers have a packet filter function, ... If the other program needs ports open on the router, ...
      (comp.security.firewalls)
    • Re: Iptables log analysis tool, not reporting tool?
      ... Absolutely normal and nothing to worry about. ... > from these I can see all hits on the firewall, source address, source ... > network name, ports, hit counts etc. etc. ... iptables is a packet filter and thus - as any packet filter - knows ...
      (comp.security.firewalls)