Dailydave mailing list archives
Re: This just in: Firewalls are obsolete
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 12 Jul 2005 01:49:15 +0200
In order to offer any protection, the firewall has to implement the complex protocol -- and countless others. This means that the firewall vendor is at a disadvantage compared to the original protocol author (less focus, often less information). I don't think most firewall vendors use radically different implementation techniques; it's mostly C or C++, with the usual problems. Often, the net result is a protocol implementation at the firewall level which is incomplete, does not completely protect the actual service, and has security bugs on its own. In almost all cases, if you run two software packages instead of one, you get the union of all their bugs, not the intersection. The application you're trying to protect must be in a really, really bad sgape before this equation changes. Of course, such things do happen in practice (cf. web applications and SQL injection), but to fix these mishaps, you have to go well beyond typical firewalling efforts.
Let's try and not confuse things though -If you do use two (or more) products, it is true you are now vulnerable with both of them. However, you are also now more secure in the event one fails.
If the two "whatevers" are of the same type, the likelihood of the second fallowing the first and.. dying (if you're lucky) is extremely high (or more so than with two of different types).
Then, managing a network with different types of devices and/or OS's is hell by itself and therefore a security risk on its own.
I'd take manageability of my network any day over the mess of 100 different devices I can't know much about.
However, there is one problem that we face which really scares me, and that is the menace of having a monoculture.
One bug, and we're all dead. One bad patch, and we're all dead. It's a lose-lose situation.. and the answer is probably neither.What I personally do is fall back on yucky management-type risk assessment, see where I can live with and protect a monoculture (or more like, better protect than otherwise not at all..) and where I can put different devices and still manage them, such as at the entrance to my network.
No solution is perfect. Gadi. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- This just in: Firewalls are obsolete Jonatan B (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
- Re: This just in: Firewalls are obsolete I)ruid (Jul 12)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
- Re: This just in: Firewalls are obsolete byte_jump (Jul 12)