Firewall Wizards mailing list archives
RE: Multiple firewalls from different manufactureres
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Fri, 28 Jan 2005 21:23:42 -0500 (EST)
On Fri, 28 Jan 2005, Paul D. Robertson wrote:
On Fri, 28 Jan 2005, Hurst, Dave wrote:That may be the case for some small shops, but I'm wondering if that's really the case for organizations that have more complex networks. IfSometimes they're worse. Most of my examples are larger organizations. I heard of one that averaged 35 rule changes a day too.
How about when the network and firewall topology are so overtly complex, the organisation has to impliment two additional maintainance windows a week, to correct problems in firewall changes made in the real maintainace window on Saturedaynight/Sundaymornings? Because changes are made without any real audit taking place, and no overseeing done by the security group, what we catch are those changes that break application connectivity. What we totally miss are those changes that break security.
you're segmenting the network into subnets to isolate different parts of the organization or to contain mobile users, providing secure access for remote users, connecting geographically distributed locations with VPN links, providing extranet services to customers, or any of a dozen other things that are driving complexity in the network infrastructure these days, then deploying a just single firewall seems untenable.Yet it seems to meet the "We have a firewall" criterion- then it becomes "We have a huge, expensive firewall!" then two... If folks planned better, they'd have fewer issues, but mostly in large organizations coordination is a real headache.
Shimming in security is tough enough, without having to try and shim it in without taking it into consideration at the beginning of the project, mostly due to lack of a top down management approach towards security, which despite all the press claiming security is growing by leaps and bounds, remains far too common in this state of the game. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com ...Love is the ultimate outlaw. It just won't adhere to rules. The most any of us can do is sign on as it's accomplice. Instead of vowing to honor and obey, maybe we should swear to aid and abet. That would mean that security is out of the question. The words "make" and "stay" become inappropriate. My love for you has no strings attached. I love you for free... -Tom Robins <Still Life With Woodpecker> _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Multiple firewalls from different manufactureres, (continued)
- RE: Multiple firewalls from different manufactureres Behm, Jeffrey L. (Jan 28)
- Re: Multiple firewalls from different manufactureres Keith A. Glass (Jan 28)
- RE: Multiple firewalls from different manufactureres MHawkins (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Message not available
- RE: Multiple firewalls from different manufactureres Marcus J. Ranum (Jan 29)
- RE: Multiple firewalls from different manufactureres MHawkins (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- Re: Multiple firewalls from different manufactureres Joseph S D Yao (Jan 29)
- RE: Multiple firewalls from different manufactureres Hurst, Dave (Jan 28)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)
- RE: Multiple firewalls from different manufactureres R. DuFresne (Jan 29)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 29)
- RE: Multiple firewalls from different manufactureres Paul D. Robertson (Jan 28)