Re: [fw-wiz] Firewall rules order and performance



On Tuesday, July 28, 2009 4:06 PM Eric Gearhart said:

On Mon, Jul 27, 2009 at 1:21 AM, Jean-Denis Gorin<jdgorin@xxxxxxxxxxxx>
wrote:
Who remember that firewalls (as application gateways) was designed to

solve (or to ease a lot) the patch management problem?

Part of the problem with your argument is that in order for e,g, a web
server to be reached, port 80 (and maybe port 443) have to be allowed
through the firewall. That fact alone means that the webservers have to
be patched, because as long as the firewall is allowing legitimate
traffic through, it could also be allowing malicious traffic through...

True, but if your firewall is stopping (I won't argue whether or not
that
is actually occurring or not) traffic to all the other ports, wouldn't
that imply that your patch management *has* been eased "a lot?"

No doubt you have to patch, but "critical" patches for services not
exposed
(thanks firewall) at least lend some time to have some sense of order,
rather
than having to patch every time the sun rises.

Jeff
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Yea! You just have to turn off...
    ... But I'm looking for the unbundling of the Internet Exploder from the ... is 25% programming and 75% patches. ... but its patch on patch on patch on patch. ... I've been running with a Zonealarm firewall these past eight years ...
    (rec.arts.anime.misc)
  • Re: Yea! You just have to turn off...
    ... But I'm looking for the unbundling of the Internet Exploder from the ... is 25% programming and 75% patches. ... but its patch on patch on patch on patch. ... I've been running with a Zonealarm firewall these past eight years ...
    (rec.arts.anime.misc)
  • Re: WindowsXP slower after reinstall.
    ... > Did you get on the Internet unprotected by a firewall or antivirus? ... > Also - did you test your hardware before reinstalling - it could be a bad ... > will have to do whatever you did before to get them installed or download ... > You can see the critical patches released for a given ...
    (microsoft.public.windowsxp.basics)
  • Re: WindowsXP slower after reinstall.
    ... > Did you get on the Internet unprotected by a firewall or antivirus? ... > Also - did you test your hardware before reinstalling - it could be a bad ... > will have to do whatever you did before to get them installed or download ... > You can see the critical patches released for a given ...
    (microsoft.public.windowsxp.basics)
  • Re: AdAware, SpyBot S &D, etc. + leave PC connected to Internet
    ... >It will be a while I get the router and do that. ... >> labelling on the box to be sure it has firewall features. ... name, like Disconnect from Internet, and click Finish. ... generally talking only about "critical patches" that affect security. ...
    (comp.security.firewalls)