RE: Multiple firewalls from different manufactureres

["R. DuFresne" <dufresne () sysinfo com>]

On Fri, 28 Jan 2005, Paul D. Robertson wrote:

> On Fri, 28 Jan 2005, Hurst, Dave wrote:
>
> > That may be the case for some small shops, but I'm wondering if that's
> > really the case for organizations that have more complex networks.  If
>
> Sometimes they're worse.  Most of my examples are larger organizations.  I
> heard of one that averaged 35 rule changes a day too.


How about when the network and firewall topology are so overtly complex,
the organisation has to impliment two additional maintainance windows a
week, to correct problems in firewall changes made in the real maintainace
window on Saturedaynight/Sundaymornings?

Because changes are made without any real audit taking place, and no
overseeing done by the security group, what we catch are those changes
that break application connectivity.  What we totally miss are those
changes that break security.

> > you're segmenting the network into subnets to isolate different parts of
> > the organization or to contain mobile users, providing secure access for
> > remote users, connecting geographically distributed locations with VPN
> > links, providing extranet services to customers, or any of a dozen other
> > things that are driving complexity in the network infrastructure these
> > days, then deploying a just single firewall seems untenable.
>
> Yet it seems to meet the "We have a firewall" criterion- then it becomes
> "We have a huge, expensive firewall!"  then two...
>
> If folks planned better, they'd have fewer issues, but mostly in large
> organizations coordination is a real headache.

Shimming in security is tough enough, without having to try and shim it in
without taking it into consideration at the beginning of the project,
mostly due to lack of a top down management approach towards security,
which despite all the press claiming security is growing by leaps and
bounds, remains far too common in this state of the game.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards