Re: This just in: Firewalls are obsolete

[Florian Weimer <fw () deneb enyo de>]

* Gadi Evron:

> If you can bring every (erm, every?!) machine in your network to where 
> it is secure enough to be on the Internet, on its own.. then why do you 
> still need a perimeter?

For detection.

But I tend agree that hardening the hosts themselves is the way to go.
Another approach is segregation of the internal network at the network
device layer (using bridging IP-layer filters, packet filters which
route between different VLANs, and so on).  But this is apparently
very hard to implement on larger networks, at least with current
technology.

> I may find this ridiculous, but I am far from vain enough to dismiss 
> some of these people and their work so readily.. I must simply not be 
> getting it.

Why do you think it's ridiculous?  Obviously, you don't think patching
is the answer, either. 8-)  In which direction do you try to push
things?

> However, getting back to this article, saying that we don't need 
> Firewalls because we can use ACL's... is one of the silliest statements 
> I ever heard. It's pretty much like saying.. "hey, we don't need a 
> picket-fence, we can use a wooden-fence."

I think there's some feeling that a firewall is just a router with an
attitude.  I'm slightly biased by my experience, but it does make
sense to run a stateless packet filter at the perimeter, and not some
obscure gadget which dies horribly when someone starts a quick port
scan across your address space (or launches a 50 kpps DoS attack).
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave