Re: [fw-wiz] Firewall rules order and performance

On Wed, Jul 29, 2009 at 10:27 AM, <> wrote:
Selon Eric Gearhart <eric@xxxxxxxxxxxxx>:
On Mon, Jul 27, 2009 at 1:21 AM, Jean-Denis Gorin<jdgorin@xxxxxxxxxxxx>
Who remember that firewalls (as application gateways) was designed to solve
(or to ease a lot) the patch management problem?
Now, we are back to patch management as the solution for all problems
because dumb people (managers, marketers, buyers, system admins, network
admins, developers, or whatever fit your situation) are unable (or
unwilling) to understand what is a firewall, and what is it due for...

Part of the problem with your argument is that in order for e,g, a web
server to be reached, port 80 (and maybe port 443) have to be allowed
through the firewall. That fact alone means that the webservers have
to be patched, because as long as the firewall is allowing legitimate
traffic through, it could also be allowing malicious traffic

The problem with your argument is that you don't know what is a firewall... ;)
(no offense intended)

A firewall IS NOT a layer 3 filter (yes, I know that most of the marketing folks
told you that a "stateful packet inspection" thing is a firewall, but that's
WRONG in a lot of different ways...).
A firewall is layer 7 proxy (also known as application gateway). So, you don't
need to patch your application, nor the underlying OS because they are
completely concealed from the outside.
(I know, I know, don't cite WP... but it looks reasonably accurate)
makes it sound like the term started with "packet filter," then
evolved to stateful packet inspection, then the third generation of
the term evolved into your definition...

Isn't something that's actively looking at application traffic more of
an application-level IPS, such as OSSEC or something along those

I will sheepishly admit that the original post included the term
"application gateway" specifically though... well played

firewall-wizards mailing list