Re: DISA eliminating firewalls

["Gumennik, Mark J." <mgumennik () mitre org>]

Take into consideration that DISA is a very large ISP and a huge bureaucracy. Firewall going away from ISP? - What else 
is new? Big Bosses discussing things they don't understand with authority? - what else is new?
DISA has been trying to implement it ever since the AF installed a similar infrastructure, which lead to even more 
firewall implementations due to segregation of functional networks (see the thread - Wi-Fi, phones, etc. need their own 
firewalled sub-netting if you properly designed your networks)
Firewalls evolving into more and more complex devices, incorporating IDS, IPS, VPN concentrators, etc. etc., but we 
still call them firewalls, whether it's packet filter or an app proxy (all vendors actually claim nowadays that they 
can do both - hmmm...). Call them whatever you want, but the functionality stays. We all know that we can't fully 
protect our networks no matter what we do; and the best we can do is to add layers of defense, not subtract them; and 
the FW functionality is the main layer I can think of for a long time.
So sleep well Firewall Wizards, you job is safe and is a good one :)

      --    Mark


From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On 
Behalf Of James Wright
Sent: Monday, July 08, 2013 4:14 PM
To: Firewall Wizards Security Mailing List
Cc: firewall-wizards () listserv cybertrust com
Subject: Re: [fw-wiz] DISA eliminating firewalls

Agreed, I also do not see them going away.  While BYOD is becoming a common practice, so is network segregation, such 
as separate wifi networks dedicated to personal devices.  Just because they need connectivity for their device does not 
necessarily mean that it has to be direct connectivity to internal resources and it does not mean that every 
employee/user needs that level of connectivity.  Vendors are getting better with the device VPN poducts as a method of 
internal access, which can include an endpoint compliance scan.  This can ensure the device meets local policies (like 
not being on the cell or other networks too, having AV (for what it's worth), or other software/features).  Often times 
the VPN options include turning off split-tunneling (forcing all data traffic through the VPN tunnel), and other proxy 
type options.


Regards,
James


On Sun, Jul 7, 2013 at 12:46 AM, kent <kent () songbird com<mailto:kent () songbird com>> wrote:
On 07/06/2013 08:55 AM, Crispin Cowan wrote:
> "What will happen when firewalls go away?" is a very good question, i
> don't have that answer. I simply assert that firewalls will go away,
> because they will become irrelevant. They are already barely relevant
> because of mobile devices. The threatscape is ignoring your firewall and
> walking straight through the front door attached to each individual
> worker in the form of a smart phone or a tablet. Not only do the users
> use them any way they want while away from the office, most of these
> devices are dual-homed to your network and a cellular network plumped
> right to the internet.
>
> It is neither my choice nor my wish that firewalls will go away, merely
> an inevitable consequence of pervasive mobile computing in the enterprise.
Firewalls will be with us for a long time to come.  Old threats don't
become irrelevant just because there are powerful new threats.

Kent
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com<mailto:firewall-wizards () listserv icsalabs com>
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards