Firewall Wizards mailing list archives
Re: How automate firewall tests
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 22 Aug 2006 00:26:39 -0400
Chris Byrd wrote:
I guess the question then is, what is the solution?
Oh, sheesh, it's not enough for you that I help identify the problem, you want me to take another stab at solving it?!? My last attempt wasn't very popular or successful; I'm discouraged.
Defense-in-depth, compartmentalization, and diligent patching all help, but surely there has got to be a way to build a better mouse trap - err - firewall.
Nope!!! Security is a complexity problem. Software is too complex to understand the ramifications of its combinations, when you toss in a hostile actor. The "solution" - if there is one - is not to add more stuff, but rather to take stuff away. If you accept my argument that security is a complexity problem, then it follows logically that ADDING more stuff (firewalls, IPS, autopatching, etc, etc) is actually going to make things worse in the long run, rather than better. But: define "worse" - it's going to make a lot of money for a lot of people.
What about the handful of L7 firewalls out there? Sidewinder and the like? Don't they manage to keep up on fast links? Can you move the processing into FPGAs or similar?
I think Secure Computing has been pretty effectively rolling the layer-7 technology into their portfolio. At this point they're the remaining vendor playing hard in that space.
Its not that I want a silver bullet in a firewall, just that I want it to do more than just be a hunk of metal in line.
Awww, c'mon - you've got _REGEXPS_ in your firewall, now, what MORE do you NEED? *snicker* mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: How automate firewall tests, (continued)
- Re: How automate firewall tests Crispin Cowan (Aug 28)
- Re: How automate firewall tests Marcus J. Ranum (Aug 28)
- Re: How automate firewall tests Marcus J. Ranum (Aug 28)
- Re: How automate firewall tests Cat Okita (Aug 29)
- Re: How automate firewall tests Marcus J. Ranum (Aug 23)
- Re: How automate firewall tests Jim Seymour (Aug 23)
- Re: How automate firewall tests Tina Bird (Aug 23)
- Re: How automate firewall tests lordchariot (Aug 23)
- Re: How automate firewall tests Jim Seymour (Aug 21)
- Re: How automate firewall tests Chris Byrd (Aug 21)
- Message not available
- Re: How automate firewall tests Marcus J. Ranum (Aug 22)
- Re: How automate firewall tests Keith A. Glass (Aug 20)
- Re: How automate firewall tests R. DuFresne (Aug 23)
- Re: How automate firewall tests Jim Seymour (Aug 23)
- Re: How automate firewall tests haim [howard] roman (Aug 23)
- Re: How automate firewall tests sai (Aug 20)
- Re: How automate firewall tests Dave Piscitello (Aug 30)
- Re: How automate firewall tests Marcus J. Ranum (Aug 20)
- Re: How automate firewall tests StefanDorn (Aug 20)