RE: so much for "deny all"

["Paul Melson" <psmelson () comcast net>]

I think that Gartner's assertion that these firewalls "...allow all network
traffic and behavior..." is likely to be a misstatement, at least insofar as
these devices are either a) intended to be deployed behind an existing
firewall with a typical ACL/NAT policy or b) have typical ACL and NAT
capabilities in addition to [meaningless buzzword omitted] features.  Either
way, they can still be configured with a default deny-all rule.

I think it's much ado about nothing (both the panic and the hype).  The real
issue is the same issue that's been plaguing networks since the first
"stateful" firewalls shipped to customers: it is easier to adopt a sloppy
trust model than it is to discover, document, and enforce a strict traffic
policy.  Despite the obvious problems  firewall vendors are ultimately just
vendors.  They must move units, and therefore their products have features
that appeal to our lazy networks and lax policies.

PaulM 


-----Original Message-----
Subject: Re: [fw-wiz] so much for "deny all"

> From the TechTarget coverage of the Gartner Security Summit this week:
 
"Next generation firewalls that do deep-packet inspections from 
vendors like Juniper Networks, Check Point and Fortinet employ a 
heuristics engine and allow all network traffic and behavior, except 
those which policy says it must block. Most enterprises, however, 
refresh their firewall purchases on a three- to five-year cycle and 
that makes it challenging to synch new features."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards