Firewall Wizards mailing list archives
Re: [Fwd: Re: Protecting a datacentre with a firewall] (fwd)
From: Cat Okita <cat () reptiles org>
Date: Sun, 4 May 2003 19:51:21 -0400 (EDT)
"mag" proclaimed on 04 May 2003 11:00:23 +0200
I was telling the truth. We have found that no useable firewalls on the market, so we had to develop one.
I have to admit to a morbid curiousity about what you consider "useable". What specific criteria do you use to define "useable"?
You are succesful when you are able to withstand attacks, not when you are able to get the traffic through. Thank you, I know how the average firewall admin responds to problems which cannot be solved with his firewall. Opens everything. I have seen lots of setups in this kind.
Oddly enough I've always felt that there was a great deal of importance to be placed on being able to perform those tasks required to run the business. Claiming that it's unimportant to be able to pass traffic suggests that you're familiar with extremely simple or limited environments.
So prepare for a big work. We are doing it for five years, and have at least another five years ahead. And we are not even multinational."a big work"? Please tell me you're joking.I an NOT joking.
It does have shades of the "Big Dig", but I suspect language issues.
4 good people is enough for approx 80 _intranet_ firewalls. I emphasized intranet firewall, because they tend to be more complex than internet ones. I have yet to find an internet firewall with 12 interfaces. Of course you need good people, and good tools.
Could you provide more details about the environment that you are working in/targeting? Many of the statements you have made seem outrageous, and a better idea of what environment you are discussing may cause them to seem less so.
I don't know why do you came with this MAC stuff. Of course I had the time. And after I have developed a scheme of configuration which is broadly useable, it is only the matter of normal operation to use that scheme. See, when we started to introduce CC, most of the developers gave horrible quotes for writing a ST. After we took a two day workshop introducing them into CC, they realized that we ask for doable things, and the quotes were reflecting that. Go configure some MAC systems, keeping in your head that you have to find a way with which the average sysadmin can deploy it, and after the third system you will came up your scheme.
Have you thought to check the credentials of the person that you're flaming?
Here's a free clue: internal networking is quite a bit more than ssh and http. I don't even want to try to _guess_ the number of protocols in use in a network of this size. I could take a wild stab at the number of _standard_ protocols in use, perhaps, but the _legacy_ ones ...? Is your advice also that they write their own application layer gateways for all these protocols? And continually reverse engineer changes to these legacy/proprietary protocols?We can do a contest of "how many protocols do you firewalling, and how many of them is protected in some way". I would win for sure. Of course we maintain stringent rules about which protocols are enabled in the intranet, but also the business is the first so we also often get hard challenges.
This isn't a contest to see who can firewall the most protocols. It's a question about what protocols are in use, and if that is actually a static list (which it normally isn't), and how to protect the inevitable oddities arising from legacy or custom software. <generalized bashing of other products deleted> Your overall credibility would be vastly improved if you spent more time detailing (briefly!) the pluses and minuses of various approaches to firewall products and deployments, rather than claiming that you have the One True Solution (tm). cheers! ========================================================================== "A cat spends her life conflicted between a deep, passionate and profound desire for fish and an equally deep, passionate and profound desire to avoid getting wet. This is the defining metaphor of my life right now." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: [Fwd: Re: Protecting a datacentre with a firewall] (fwd) Cat Okita (May 04)
- RE: [Fwd: Re: Protecting a datacentre with a firewall] (fwd) Jermaine Howard (May 05)