Re: [fw-wiz] Firewalls that generate new packets..

From: "Paul Melson" <pmelson@xxxxxxxxx>
Date: Mon, 26 Nov 2007 09:44:57 -0500

Isn't that kind of amazing? People look at these "stateful firewalls" as

if they're somehow

doing something IMPORTANT but they're basically a router with

"established" and a kind of

"synthetic established" for UDP. People, that's barely a security device

at all - 99% of what

you're getting is the "firewall" sticker on the front.

You're overlooking the real value of state tables, I think. The real
advantage isn't technical, it's cognitive. If I don't have to think about,
decide on, classify, and manage all ends of the traffic crossing my border,
my life is a whole lot easier. A stateful firewall lets you think about
your policy in terms of published services; "I let the whole Internet
connect to this web server and that mail server, but nothing else. And then
whatever our people inside want to do."

Call it cynical. Call it misguided. Call it naive. Call it stupid. But
it saves time and energy which translates to money. And it seems to be
where the equilibrium for the firewall security vs. admin overhead equation
is, or at least has been in recent history.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Follow-Ups:
- Re: [fw-wiz] Firewalls that generate new packets..
  - From: Jim Seymour

References:
- Re: [fw-wiz] Firewalls that generate new packets..
  - From: Bill McGee (bam)
- Re: [fw-wiz] Firewalls that generate new packets..
  - From: Paul D. Robertson
- Re: [fw-wiz] Firewalls that generate new packets..
  - From: Marcus J. Ranum

Prev by Date: Re: [fw-wiz] Firewalls that generate new packets..
Next by Date: Re: [fw-wiz] Firewalls that generate new packets..
Previous by thread: Re: [fw-wiz] Firewalls that generate new packets..
Next by thread: Re: [fw-wiz] Firewalls that generate new packets..
Index(es):
- Date
- Thread

Relevant Pages

Re: disconnect a hacker
... My Web server station is right next ... my attention divided by security concerns... ... see an IP connected to port 80, ... I've been forwarding my firewall logs to my ISP, ...
(alt.computer.security)
Re: Firewall on server itself
... Perhaps the iptables could defend against an intruder who is already ... Firewall vender specific vulnerabilities ... >> be configured to protect the web server as well other computers on ... > The Gartner Group just put Neoteris in the top of its Magic Quadrant, ...
(Security-Basics)
Re: [fw-wiz] Using SSL accelerators in firewalls
... It also depends on what you're using your SSL for, and how tightly you can couple ... your firewall with your web application. ... web server don't have to be very aware of each other. ... >> lost in the process and the security of transactions eroded. ...
(Firewall-Wizards)
Re: security advice (possible hacker activity?)
... > trojan or worm is installed onto the web server. ... > itself through the firewall to an email user on a PC, ... > the IIS web server. ... IWAM runs any site with Access or SQL. ...
(microsoft.public.inetserver.iis.security)
Re: security advice (possible hacker activity?)
... > trojan or worm is installed onto the web server. ... > itself through the firewall to an email user on a PC, ... > the IIS web server. ... IWAM runs any site with Access or SQL. ...
(microsoft.public.win2000.security)