Re: [fw-wiz] Provocative Query: Are firewalls obsolete in a world involving enterprise WebService SOA

2008/3/26, Marcus J. Ranum <mjr@xxxxxxxxx>:
What you have done is rediscovered the "incoming traffic problem" -
which is a primary property of firewalls that has been well-understood
since the early 1990s. You're correct that many firewalls (especially
the packet-oriented ones or the so-called 'stateful' ones) don't do
anything useful at layer-7, and serve primarily to force traffic to an
application service which needs to be tough enough to withstand
direct attack specific to that service. And, yes, with things like
"everything tunnelled over web services" remote procedure calls,
the complete set of protocol options at layer-7 is too large to be
controlled, enumerated, or understood - which means that effectively
you are doomed to intermittent epic failures.

I think that the problem is a bit (yes, just a bit) more manageable than that.
Although there are the complete set of protocol options is very large, with good
design practices one can keep the set of actually used options small.

(Well, if everything had been designed with good practices in mind,
there was not
need for firewalls...
So the other short answer is "yes": as firewall is a bandaid solution,
they are not useful
anymore: you cannot do anything useful with a bandaid when the patient
had his head
blown off.)
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards