Firewall Wizards mailing list archives
RE: so much for "deny all"
From: "Paul Melson" <psmelson () comcast net>
Date: Tue, 14 Jun 2005 08:54:47 -0400
I think that Gartner's assertion that these firewalls "...allow all network traffic and behavior..." is likely to be a misstatement, at least insofar as these devices are either a) intended to be deployed behind an existing firewall with a typical ACL/NAT policy or b) have typical ACL and NAT capabilities in addition to [meaningless buzzword omitted] features. Either way, they can still be configured with a default deny-all rule. I think it's much ado about nothing (both the panic and the hype). The real issue is the same issue that's been plaguing networks since the first "stateful" firewalls shipped to customers: it is easier to adopt a sloppy trust model than it is to discover, document, and enforce a strict traffic policy. Despite the obvious problems firewall vendors are ultimately just vendors. They must move units, and therefore their products have features that appeal to our lazy networks and lax policies. PaulM -----Original Message----- Subject: Re: [fw-wiz] so much for "deny all"
From the TechTarget coverage of the Gartner Security Summit this week:
"Next generation firewalls that do deep-packet inspections from vendors like Juniper Networks, Check Point and Fortinet employ a heuristics engine and allow all network traffic and behavior, except those which policy says it must block. Most enterprises, however, refresh their firewall purchases on a three- to five-year cycle and that makes it challenging to synch new features." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- so much for "deny all" Tina Bird (Jun 10)
- Re: so much for "deny all" Dave Piscitello (Jun 13)
- RE: so much for "deny all" Tina Bird (Jun 15)
- RE: so much for "deny all" Dave Piscitello (Jun 15)
- RE: so much for "deny all" Tina Bird (Jun 15)
- Re: so much for "deny all" Adam Jones (Jun 13)
- RE: so much for "deny all" Paul Melson (Jun 16)
- RE: so much for "deny all" Kerry Thompson (Jun 17)
- RE: so much for "deny all" Paul Melson (Jun 16)
- Re: so much for "deny all" Rob Hughes (Jun 15)
- Re: so much for "deny all" Dave Piscitello (Jun 13)