Re: Firewall rules order and performance

["Behm, Jeff" <jbehm () burnsmcd com>]

On Tuesday, July 28, 2009 4:06 PM Eric Gearhart said:

> On Mon, Jul 27, 2009 at 1:21 AM, Jean-Denis Gorin<jdgorin () computer org>
wrote:
> > Who remember that firewalls (as application gateways) was designed to

> > solve (or to ease a lot) the patch management problem?

> Part of the problem with your argument is that in order for e,g, a web 
> server to be reached, port 80 (and maybe port 443) have to be allowed 
> through the firewall. That fact alone means that the webservers have to
> be patched, because as long as the firewall is allowing legitimate 
> traffic through, it could also be allowing malicious traffic through...

True, but if your firewall is stopping (I won't argue whether or not
that
is actually occurring or not) traffic to all the other ports, wouldn't
that imply that your patch management *has* been eased "a lot?"

No doubt you have to patch, but "critical" patches for services not
exposed
(thanks firewall) at least lend some time to have some sense of order,
rather
than having to patch every time the sun rises.

Jeff
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards