Re: [fw-wiz] Firewalls that generate new packets..

Jim Seymour wrote:
What
you're telling me is just skip the firewall entirely, and put together
a comprehensive set of "firewall router" packet filtering rules.

That's not what I'm saying. I'm saying is that the action is all
at layer-7 these days. Use a router (or 2 tin cans and some string)
to apply broad, simple, controls at the network layer and make
sure you are directing traffic to locked down layer-7 services
on machines that you think can handle them.

Firewalls have always consisted (in my mind, anyhow..) of
"block and carry" - think of the basic stuff the firewall does
as blocking big chunks of traffic so that your layer-7 picture
is refined to the point where you can effectively reason
about it. In that model a proxy is just a "carry" tool for
layer-7 traffic - and you can then reason about the security
controls (if you're using more than just a plug-board
proxy, which is axiomatically the same as a router
permit port ACL) in the proxy.

With respect to the "stateful packet inspection" garbage;
it's computer security's equivalent of homeopathy or
accupuncture: people like it because it makes them
feel better. It's a placebo.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Just venting (totally OT)
    ... the ame router to get access to the net! ... I'm paranoid about opening up my firewall "just in case..." ... not visiting dodgy Websites. ... The protection that it does supply is also provided by ...
    (uk.people.support.depression)
  • Re: Just venting (totally OT)
    ... how long it plays for because it's all been ripped on to hard disc ... the ame router to get access to the net! ... I'm paranoid about opening up my firewall "just in case..." ... The protection that it does supply is also provided by ...
    (uk.people.support.depression)
  • Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
    ... your computer regardless of what McAfee firewall said. ... If your router is ... warned about those ports being available right away if you had any of those ...
    (microsoft.public.security)
  • Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
    ... your computer regardless of what McAfee firewall said. ... If your router is ... warned about those ports being available right away if you had any of those ...
    (microsoft.public.security)
  • Re: Just venting (totally OT)
    ... long it plays for because it's all been ripped on to hard disc so it ... I'm paranoid about opening up my firewall "just in case..." ... having the protection of a router, not opening dodgy emails, and not ... The protection that it does supply is also provided by your router ...
    (uk.people.support.depression)