Re: [fw-wiz] Firewalls that generate new packets..

Isn't that kind of amazing? People look at these "stateful firewalls" as
if they're somehow
doing something IMPORTANT but they're basically a router with
"established" and a kind of
"synthetic established" for UDP. People, that's barely a security device
at all - 99% of what
you're getting is the "firewall" sticker on the front.

You're overlooking the real value of state tables, I think. The real
advantage isn't technical, it's cognitive. If I don't have to think about,
decide on, classify, and manage all ends of the traffic crossing my border,
my life is a whole lot easier. A stateful firewall lets you think about
your policy in terms of published services; "I let the whole Internet
connect to this web server and that mail server, but nothing else. And then
whatever our people inside want to do."

Call it cynical. Call it misguided. Call it naive. Call it stupid. But
it saves time and energy which translates to money. And it seems to be
where the equilibrium for the firewall security vs. admin overhead equation
is, or at least has been in recent history.


firewall-wizards mailing list