Firewall Wizards mailing list archives
RE: Multiple firewalls from different manufactureres
From: "Paul D. Robertson" <paul () compuwar net>
Date: Sat, 29 Jan 2005 10:06:55 -0500 (EST)
On Fri, 28 Jan 2005, R. DuFresne wrote:
Because changes are made without any real audit taking place, and no overseeing done by the security group, what we catch are those changes that break application connectivity. What we totally miss are those changes that break security.
Indeed, that's one of the reasons I see great promise in Algorithmic Security's Firewall Analyzer product[1]. That's also why I believe that configuration review is vastly superior to penetration testing. A pen-test *may* uncover a generic hole, but isn't likely to find a specific one, while validating the configuration should always work. Ruleset changes over time should be documented, that's the only way to get good accountability. While I'm mentioning products, Clavister's[2] client forces version control on config filesyou to keep for strong audit. It's a text file, so diff works fine for change reporting..
Shimming in security is tough enough, without having to try and shim it in without taking it into consideration at the beginning of the project, mostly due to lack of a top down management approach towards security, which despite all the press claiming security is growing by leaps and bounds, remains far too common in this state of the game.
Well, it's top-down in that they now say "We need security so we don't get thrown in jail!" ;) The interesting thing to me is that the regulatory environment may force real discipline in organizations where firewall rule changes were known, executed and understood by only one person- the one making the changes. The "good old days" of "Hold on a sec- ok it's updated" may be vanishing more quickly than we're all prepared for. Paul [1] Disclaimer: I'm on their Technical Advisory Board. Contact me off-list for further discussion. [2] Disclaimer: I use their firewall at home. Contact Mike off-list for further discussion ;) ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Multiple firewalls from different manufactureres, (continued)
- Re: Multiple firewalls from different manufactureres Keith A. Glass (Jan 28)
- RE: Multiple firewalls from different manufactureres MHawkins (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Message not available
- RE: Multiple firewalls from different manufactureres Marcus J. Ranum (Jan 29)
- RE: Multiple firewalls from different manufactureres MHawkins (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Multiple firewalls from different manufactureres Joseph S D Yao (Jan 29)
- RE: Multiple firewalls from different manufactureres Hurst, Dave (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- RE: Multiple firewalls from different manufactureres R. DuFresne (Jan 29)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 29)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)