Re: [fw-wiz] How automate firewall tests
- From: "Marcus J. Ranum" <mjr@xxxxxxxxx>
- Date: Tue, 22 Aug 2006 00:26:39 -0400
Chris Byrd wrote:
I guess the question then is, what is the solution?
Oh, sheesh, it's not enough for you that I help identify the problem,
you want me to take another stab at solving it?!? My last attempt
wasn't very popular or successful; I'm discouraged.
Defense-in-depth, compartmentalization, and diligent
patching all help, but surely there has got to be a way to build a
better mouse trap - err - firewall.
Security is a complexity problem. Software is too complex to
understand the ramifications of its combinations, when you toss
in a hostile actor. The "solution" - if there is one - is not to add
more stuff, but rather to take stuff away. If you accept my
argument that security is a complexity problem, then it follows
logically that ADDING more stuff (firewalls, IPS, autopatching,
etc, etc) is actually going to make things worse in the long
run, rather than better. But: define "worse" - it's going to make
a lot of money for a lot of people.
What about the handful of L7 firewalls out there? Sidewinder and the
like? Don't they manage to keep up on fast links? Can you move the
processing into FPGAs or similar?
I think Secure Computing has been pretty effectively rolling the
layer-7 technology into their portfolio. At this point they're the
remaining vendor playing hard in that space.
Its not that I want a silver bullet in a firewall, just that I want it
to do more than just be a hunk of metal in line.
Awww, c'mon - you've got _REGEXPS_ in your firewall, now, what
MORE do you NEED? *snicker*
firewall-wizards mailing list