Re: Hardware Firewall Recommendation

From: Micheal Robert Zium (mrozium_at_XSPAMX-yahoo.com)
Date: 06/20/04 

Date: 20 Jun 2004 01:08:31 -0500

Leythos wrote:

>The appliance has the proxy as one of the rules you can use - it's a
>better option than a system running a app to do it. Less chance of it
>breaking or being misconfigured - less chance of a parts failure too.

Understand that I'm not trying to be argumentative, but claiming that
an appliance has the exclusive distinction of being less likely to
fail or be misconfigured is taking great liberties with the truth.
Anything that can be configured can be misconfigured. Just because
it's "point-and-click" doesn't make it less likely to be
misconfigured. The person responsible for the configuration is the
mitigating factor here, not software. Untrained people should not
configure firewalls. Parts failure is pretty much a non-issue. Do
you run your servers on appliances? I've heard those battle cries,
and quite frankly, neither hold much water today.

>> >We've not had to update the firewalls, the rules, once in place, are
>> >something that covers all of the problems that already come up. If you
>> >block .EXE you never have to go back and update the firewall to keep
>> >users from downloading and running .EXE over HTTP/HTTPS or SMTP.
>>
>> I see. That would never work in any environment I've seen, as all the
>> companies and government entities I provide security for *must* be
>> able to download files, including executables. Especially for M$
>> updates. Users are only allowed to run approved programs, but that
>> rarely ever stops today's worms/viruses. Of course, that's one reason
>> why it's so important to employ a good anti-virus solution.
>
>AV is a day late in most cases - the definition files don't come out for
>the new viruses until a day after they hit the mainstream.

I agree, but I still use it. Don't you? Besides, it's hardly a
firewall's job to provide anti-virus solutions. Otherwise, we'd be
constantly updating our firewalls, right?

>The updates from MS can easily be configured to pass through the
>firewall - as I mentioned earlier, the blocking has exception lists and
>it's easy to configure exceptions for all blocking. We run updates every
>night.

No, you didn't mention it. You said you block .EXE. I took you at
your word. To quote your earlier post:
>For those that did select it, they would not have had a problem - we
>don't allow .exe or other types through the HTTP proxy service in the
>firewall.
And then later in the same post you said:
>If you block .EXE you never have to go back and update the firewall to keep
>users from downloading and running .EXE over HTTP/HTTPS or SMTP.
I wondered how you managed not allowing downloading .exe files. Now
you have me wondering about why you would claim "set-and-forget", yet
talk about configuring exceptions. Quite perplexing indeed. Please
understand that I'm not trying to nit-pick you to death, but you've
made some great claims, and I was wondering if I should jump ship. I'm
far from being convinced. Maybe it's just me, but I see some glaring
inconsistencies in your statements.

>If you have your block rules setup properly your people will not be
>stopped from doing anything they are permitted to do, including updates,
>but they will be protected from almost all of the bad files out there.

I couldn't agree more. But now you're straying waaaaay away from the
simple "Less chance of it breaking or being misconfigured...".
Unless, of course, your customers have simple needs when it comes to
downloading executable files. A single customer of mine may have more
than two dozen different programs on different computers and/or
servers requiring updates or patches from as many (or more) sites
and/or service providers. I guess my customer's requirements are much
different than yours. Or, maybe your appliance has a magical rule
applicator? Seriously, how would you manage without creating an
exception for each requirement?

>Remember, virus updates are reactionary, they don't protect you until
>the virus is "known" but the vendor that provides your updates.

I agree. You're preaching to the choir.

>> Also, I'm surprised you don't update your firewalls (patches, not
>> rules). I'd sleep better knowing my firewalls and the computers
>> behind them were up-to-date.
>
>Up to date and needing an update are two different things - we don't
>blindly apply updates, even Windows updates, on every machine. When you
>look at the update, unless it does something for your needs you don't
>have to apply it.

I'm with you there (again) 100%. But how do you find the time to
review and apply daily updates? Remember, you said:
>In general, every workstation at a generic desk updates every evening.
Like Lewis Carroll wrote: "Curiouser and Curiouser". Unless you mean
you only blindly apply M$ updates to generic boxes.

>In the case of WG, there have not been any security
>related updates to the firmware in a long time. Yes, they've come out
>with newer rev's and nicer features, but the updates don't change
>anything in the security options that most of our clients setups.

Ummm...ok. I'll take your word on that. I guess you don't use the
V-Class products. This is taken from their site:
>WatchGuard® Vclass products 22 April 2004
>WatchGuard Vclass Version 5.1.1 sp1 includes security enhancements
>to your product.
Maybe it's not a firmware update. Wait, what else could it be?

To basically sum it up, we both are trying to accomplish the same task
(more or less), yet we use quite different methods and tools. For
instance, you choose an appliance as a single point-of-failure, and I
prefer to use specific tools for specific jobs. Choice is great,
wouldn't you say?

Relevant Pages

  • Re: [Run Nunn] Crazy little thing called Love
    ... hope you understand that I've never had a chance to do that before, ... had done updates like that for any length of time while you were feeling ... propensity towards extremes of emotions within relationships. ... Relationships are the most important thing in my life by miles, and they are also the thing that I've been without my whole life. ...
    (uk.sport.football)
  • Re: Menüs telweise englisch, teilweise deutsch
    ... > Datei von der Win98 CD zu entpacken und die alte Datei zu ... Einspielen aller Updates und Patches. ... Eure einzige Chance es einfacher hinzubekommen ist das menschliche Gehirn: ...
    (microsoft.public.de.german.win98.allgemein)
  • Re: copy recent updates to CD?
    ... that tool first, if he is already infected, his system has a better chance of ... Malware tool before the updates. ... >> not chance of infection if he does this before doing any browsing, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: All those who are claiming...
    ... I am a mis-guided customer of Delphi 2006. ... How about posting a list of things that prevent you from thinking it's the best version? ... we've been working on updates so had you gotten your issues logged to QC early we'd have more chance to fix things in an update. ...
    (borland.public.delphi.non-technical)
  • Re: Updating the VB EXE
    ... have code that checks for updates. ... So that Setup program is what you're downloading. ... user if they want to install now. ... Now you can't replace an exe while it's actually being used. ...
    (microsoft.public.vb.general.discussion)