RE: so much for "deny all"

["Kerry Thompson" <kez () crypt gen nz>]

Paul Melson said:
> [snip]
> I think it's much ado about nothing (both the panic and the hype).  The
> real
> issue is the same issue that's been plaguing networks since the first
> "stateful" firewalls shipped to customers: it is easier to adopt a sloppy
> trust model than it is to discover, document, and enforce a strict traffic
> policy.  Despite the obvious problems  firewall vendors are ultimately
> just
> vendors.  They must move units, and therefore their products have features
> that appeal to our lazy networks and lax policies.

Possibly what they are referring to is the multitude of applications which
tunnel traffic over innocuous ports. Almost anything can be tunnelled over
http/https now - just take a look at "firewall friendly" SSL-VPNs which
happily pass through proxies to connect an outside endpoint to the
internal desktop PC. Even fairly lame stuff like gotomypc.com is getting
harder to manage as it becomes more common.

So the firewalls now have to do "deep inspection" to try to pick out and
manage this crap being tunnelled, and the poor security administrator is
being forced to take a stance where he has to permit everything and make
some attempt to pick out the rubbish which is deeply hidden and probably
even encrypted.

Not surprisingly, plenty of vendors who sell the tunnelling technology (
like SSL VPNs ) now need to sell new firewalls which need "deep
inspection" to manage the tunnels.

Kerry


-- 
Kerry Thompson, CCNA CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards