Re: Use of firewalls in networks of today (Was: Re: Setting up H323 IP telephony etc )

[Mikael Olsson <mikael.olsson () clavister com>]

"Marcus J. Ranum" wrote:
> This whole firewall "thing" has become an exercise in wishful-thinking
> "have your cake and eat it too" -- and in the long run it's not going to
> work. It only works now because the hackers aren't as smart as
> they and the media think they are.

That would be the curmudgeon view, yes, and I'll confess to being
guilty of it on some of my darker days.

The important difference is that firewalls (as in "the box that all
traffic to the Internet has to pass through") can no longer be used 
for risk elimination for meaningful values of "network traffic".  
If, indeed, they ever could.  Now, it's about risk mitigation, and 
it's just one tool of many in securing your network (perimeter).

But do people realize this? Heck no.

- "My web server got infected with Nimda! Your firewall sucks!"
- "Um, no. Look, none of your internal systems got hit in turn by 
   the web server.  The firewall did the job you configured it 
   to do.  We explain this in detail in chapter 1 in the glossy 
   user's guide."
- "%#@&¤%&@#% I want my money back!"

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards