Firewall Wizards mailing list archives

RE: Firewalls Compared

From: jseymour () linxnet com (Jim Seymour)
Date: Tue, 29 Jun 2004 10:19:11 -0400 (EDT)

"Stiennon,Richard" <Richard.Stiennon () gartner com> wrote:


Am I the only one that sees a huge difference between an application
proxy (ala the good old days of server based firewalls) and filters
that are applied to payloads (ala Network Intrusion Prevention) by
inline network devices?


Er... no?  (Depending on how you define "filter.")


Let's keep in mind that stateful inspection firewalls are GREAT
security devices. They protect over 80% of enterprise networks today.


FSVO "protection."  Their popularity does not, of necessity, make them 
the best solution.

SQL Slammer cannot get through a firewall with port 1443 blocked. Same
for MSBlaster, Welchia etc.


Those can't get through my little NAT DSL router at home, but I hardly
refer to that NAT box as a "firewall."

[snip]


Worms generally target Microsoft vulnerabilities. Are you going to
write application proxies for Exchange? ASN 1? Does anyone other than
MSFT even know how these applications communicate? Not.


Which is as good a reason as any other, perhaps a better reason, not to
allow such things through whatever you use that passes as a firewall.

What an... interesting argument.  It's a proprietary protocol that we
do not, and likely can not, know anything about, so we just let it in
and hope for some internal, after-the-fact defenses to deal with it?

                                                         But, you know
what the vulnerability looks like and could look at traffic and
identify malicious activity even without signatures.


I'm trying to reconcile "know what the vulnerability looks like" with
"even without signatures," and failing miserably.

                                                     The future of
network security is all about inspecting traffic. It is not about
application proxies.


In your opinion.  Personally, I prefer defense-in-depth.  Try to keep
it from getting in, in the first place.  Assume something will defeat
my border defenses, and so harden everything inside as best I can [*]
and deploy internal detection and reactive defenses.

[*] "As best I can" amounts to what's technically possible, as much
    as possible w/o crippling usability beyond tolerable limits.

Without meaning to be insulting, really, I do have to say that if
Mr. Stiennon's position is common amongst the analysts at Gartner,
that organization's cache' has just taken a *major* hit in my eyes.

Perhaps I'm missing/misunderstanding something.  If so: Somebody
kindly enlighten me?

Jim
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewalls Compared, (continued)
- - - Re: Firewalls Compared Devdas Bhagat (Jun 30)
    - Re: Firewalls Compared Crispin Cowan (Jun 30)
    - Message not available
    - Re: Firewalls Compared ArkanoiD (Jun 29)
    - Message not available
    - Re: Firewalls Compared Dave Piscitello (Jun 24)
- Re: Firewalls Compared Norman Zhang (Jun 21)
  - RE: Re: Firewalls Compared Christopher Lee (Jun 21)
- RE: Firewalls Compared Stiennon,Richard (Jun 29)
  - RE: Firewalls Compared Ben Nagy (Jun 30)
  - Re: Firewalls Compared Devdas Bhagat (Jun 30)
  - Message not available
    - RE: Firewalls Compared Marcus J. Ranum (Jun 30)
  - RE: Firewalls Compared Jim Seymour (Jun 30)