Firewall Wizards mailing list archives
RE: so much for "deny all"
From: "Tina Bird" <tbird () precision-guesswork com>
Date: Fri, 10 Jun 2005 14:51:24 -0700
On 7 Jun 2005 at 9:41, Tina Bird wrote:From the TechTarget coverage of the Gartner Security Summit this week:"Next generation firewalls that do deep-packet inspections from vendors like Juniper Networks, Check Point and Fortinet employ a heuristics engine and allow all network traffic and behavior, except those which policy says it must block. Most enterprises, however, refresh their firewall purchases on a three- to five-year cycle and that makes it challenging to synch new features."
From: Dave Piscitello [mailto:dave () corecom com] This is very good publicity for firewall vendors not in the list who provide a default "DENY ALL" in policy configuration. I'll enjoy tormenting friends at these companies over this:-)
I guess that's one way to look at it. I'd like to think that folks at those companies will be cringing, and refusing to pay for multi-martini lunches (if anyone in this politically correct time still indulges in multi-martini lunches). Although I wonder how many of the companies that ship with a "deny all" config will now be accused of being out of touch with the real world, or at least the real world as defined by Gartner.
But the 2nd statement is very odd, don't you think? Not only is it remarkably difficult to parse, but it flies in the face of (my) experience. Taking the source with a grain of salt, I find it hard to believe that most enterprises change security vendors every five years.
Well, the company at which I did my first firewall install replaced the whole shebang within a year of my leaving, claiming that my rock-solid Sidewinder infrastructure was too hard to manage, and putting in PIXen instead. But I agree that *most* places don't do that. We're generally content with the devil we know.
Perhaps 100% of my clients buck this trend. Upgrades, yes. Forklifting firewalls? I have yet to see this except in circumstances where the prior firewall failed pitifully in enforcing policy.
I have seen several organizations replace firewall or VPN architectures, and almost never for a technical reason - almost always for political or financial ones. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- so much for "deny all" Tina Bird (Jun 10)
- Re: so much for "deny all" Dave Piscitello (Jun 13)
- RE: so much for "deny all" Tina Bird (Jun 15)
- RE: so much for "deny all" Dave Piscitello (Jun 15)
- RE: so much for "deny all" Tina Bird (Jun 15)
- Re: so much for "deny all" Adam Jones (Jun 13)
- RE: so much for "deny all" Paul Melson (Jun 16)
- RE: so much for "deny all" Kerry Thompson (Jun 17)
- RE: so much for "deny all" Paul Melson (Jun 16)
- Re: so much for "deny all" Rob Hughes (Jun 15)
- Re: so much for "deny all" Dave Piscitello (Jun 13)