Re: [Fwd: Re: Protecting a datacentre with a firewall] (fwd)

[Cat Okita <cat () reptiles org>]

"mag" proclaimed on 04 May 2003 11:00:23 +0200
> I was telling the truth. We have found that no useable firewalls
> on the market, so we had to develop one.

I have to admit to a morbid curiousity about what you consider "useable".
What specific criteria do you use to define "useable"?

> You are succesful when you are able to withstand attacks, not when
> you are able to get the traffic through. Thank you, I know how the
> average firewall admin responds to problems which cannot be solved
> with his firewall. Opens everything. I have seen lots of setups in
> this kind.

Oddly enough I've always felt that there was a great deal of importance
to be placed on being able to perform those tasks required to run the
business. Claiming that it's unimportant to be able to pass traffic
suggests that you're familiar with extremely simple or limited environments.

> > > So prepare for a big work. We are doing it for five years, and have
> > > at least another five years ahead. And we are not even multinational.
> > "a big work"?  Please tell me you're joking.
> I an NOT joking.

It does have shades of the "Big Dig", but I suspect language issues.

> 4 good people is enough for approx 80 _intranet_ firewalls. I emphasized
> intranet firewall, because they tend to be more complex than internet
> ones. I have yet to find an internet firewall with 12 interfaces.
> Of course you need good people, and good tools.

Could you provide more details about the environment that you are
working in/targeting? Many of the statements you have made seem
outrageous, and a better idea of what environment you are discussing
may cause them to seem less so.

> I don't know why do you came with this MAC stuff. Of course I had the
> time. And after I have developed a scheme of configuration which is
> broadly useable, it is only the matter of normal operation to use that
> scheme. See, when we started to introduce CC, most of the developers
> gave horrible quotes for writing a ST. After we took a two day workshop
> introducing them into CC, they realized that we ask for doable things,
> and the quotes were reflecting that. Go configure some MAC systems,
> keeping in your head that you have to find a way with which the average
> sysadmin can deploy it, and after the third system you will came up
> your scheme.

Have you thought to check the credentials of the person that you're
flaming?

> > Here's a free clue: internal networking is quite a bit more than ssh
> > and http. I don't even want to try to _guess_ the number of protocols
> > in use in a network of this size. I could take a wild stab at the
> > number of _standard_ protocols in use, perhaps, but the _legacy_
> > ones ...?  Is your advice also that they write their own application
> > layer gateways for all these protocols?  And continually reverse
> > engineer changes to these legacy/proprietary protocols?
>
> We can do a contest of "how many protocols do you firewalling,
> and how many of them is protected in some way". I would win for sure.
> Of course we maintain stringent rules about which protocols
> are enabled in the intranet, but also the business is the first
> so we also often get hard challenges.

This isn't a contest to see who can firewall the most protocols. It's
a question about what protocols are in use, and if that is actually a
static list (which it normally isn't), and how to protect the inevitable
oddities arising from legacy or custom software.

<generalized bashing of other products deleted>

Your overall credibility would be vastly improved if you spent more
time detailing (briefly!) the pluses and minuses of various approaches
to firewall products and deployments, rather than claiming that you
have the One True Solution (tm).

cheers!
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards