Firewall Wizards mailing list archives
RE: New FW architecture? (was RE: Time for a new FWTK?)
From: Ted Doty <ted () iss net>
Date: Tue, 02 Dec 1997 09:19:13 -0500
At 03:57 PM 12/1/97 -0500, Stout, William wrote:
I believe this is natural evolution of the firewall architecture (Note that I did not say proxy server). IMNSO - It's inane to force all the possible protocol filtering requirements of a corporation onto one box, especially if one user exposes the entire corporation to a new unproven protocol.
[lots of interesting ideas deleted] It's important to keep our eyes on the problem. The external problem is lack of accountability combined with the lack of any mechanism to (legally) enforce your policy goals. This is why we focus on prevention, because it's so dang hard to prosecute. The internal problem is different. These people work for us. There are actions we can take if we see someone straying from the bounds set by policy (at least in theory). My gut feel is that proper monitoring, combined with education (i.e. letting people know that you know what's happening) is a moderately good deterrent. - Ted -------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 770 395 0150 41 Perimeter Center East | Fax: +1 770 395 1972 Atlanta, GA 30346 USA | Web: http://www.iss.net -------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
Current thread:
- RE: New FW architecture? (was RE: Time for a new FWTK?) Stout, William (Dec 01)
- <Possible follow-ups>
- RE: New FW architecture? (was RE: Time for a new FWTK?) Ted Doty (Dec 03)
- RE: New FW architecture? (was RE: Time for a new FWTK?) Stout, William (Dec 03)
- RE: New FW architecture? (was RE: Time for a new FWTK?) Safier, Adam (GEIS) (Dec 08)
- RE: New FW architecture? (was RE: Time for a new FWTK?) Stout, William (Dec 09)
- RE: New FW architecture? (was RE: Time for a new FWTK?) Safier, Adam (GEIS) (Dec 11)