Re: [fw-wiz] How automate firewall tests



Chris Byrd wrote:
I guess the question then is, what is the solution?

Oh, sheesh, it's not enough for you that I help identify the problem,
you want me to take another stab at solving it?!? My last attempt
wasn't very popular or successful; I'm discouraged.

Defense-in-depth, compartmentalization, and diligent
patching all help, but surely there has got to be a way to build a
better mouse trap - err - firewall.

Nope!!!

Security is a complexity problem. Software is too complex to
understand the ramifications of its combinations, when you toss
in a hostile actor. The "solution" - if there is one - is not to add
more stuff, but rather to take stuff away. If you accept my
argument that security is a complexity problem, then it follows
logically that ADDING more stuff (firewalls, IPS, autopatching,
etc, etc) is actually going to make things worse in the long
run, rather than better. But: define "worse" - it's going to make
a lot of money for a lot of people.

What about the handful of L7 firewalls out there? Sidewinder and the
like? Don't they manage to keep up on fast links? Can you move the
processing into FPGAs or similar?

I think Secure Computing has been pretty effectively rolling the
layer-7 technology into their portfolio. At this point they're the
remaining vendor playing hard in that space.

Its not that I want a silver bullet in a firewall, just that I want it
to do more than just be a hunk of metal in line.

Awww, c'mon - you've got _REGEXPS_ in your firewall, now, what
MORE do you NEED? *snicker*

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
    (Securiteam)
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
    (microsoft.public.inetserver.iis.security)
  • Why hasnt Symantec addressed nastier Messenger spoofs
    ... Norton / Symantec has been silent on whether Norton Internet Security ... DSL firewall will stop these kinds of pop-ups. ... major ISPs and broadband systems. ...
    (comp.security.misc)
  • Re:RE : suggestions on a good firewall
    ... Subject: RE: suggestions on a good firewall ... CheckPoint does! ... with a url-filtering server. ... IT Technical Security Officer ...
    (Security-Basics)
  • [NEWS] Cisco ASA Multiple Failover DoS Vulnerabilities
    ... Get your security news from a reliable source. ... and bypass Cisco ASA firewall. ... In an Active/Standby configuration: ... This causes the standby firewall to ARP for the IP address of each active ...
    (Securiteam)