RE: so much for "deny all"

["Dave Piscitello" <dave () corecom com>]

On 10 Jun 2005 at 14:51, Tina Bird wrote:


> > From: Dave Piscitello [mailto:dave () corecom com] 
> >
> > This is very good publicity for firewall vendors not in the list who
> > provide a default "DENY ALL" in policy configuration. I'll enjoy
> > tormenting friends at these companies over this:-)
>
> I guess that's one way to look at it. I'd like to think that folks at
> those companies will be cringing

for the record, I did mention this to one of the companies listed and 
they are moritified. 

> real world as defined by Gartner.

strip the adjective

> Well, the company at which I did my first firewall install replaced
> the whole shebang within a year of my leaving, claiming that my
> rock-solid Sidewinder infrastructure was too hard to manage

This could begin an new thread entirely: change introduced under the 
guise of "complexity" when it really is "we downsized our expertise 
and can't do what we did before".

> I have seen several organizations replace firewall or VPN
> architectures, and almost never for a technical reason - almost always
> for political or financial ones.

I've seen SSL VPNs replace IPsec RA VPNs, but the firewall remains 
and continues to terminate site-to-site IPsec.  


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards