Firewall Wizards mailing list archives
RE: so much for "deny all"
From: "Kerry Thompson" <kez () crypt gen nz>
Date: Fri, 17 Jun 2005 10:22:09 +1200 (NZST)
Paul Melson said:
[snip] I think it's much ado about nothing (both the panic and the hype). The real issue is the same issue that's been plaguing networks since the first "stateful" firewalls shipped to customers: it is easier to adopt a sloppy trust model than it is to discover, document, and enforce a strict traffic policy. Despite the obvious problems firewall vendors are ultimately just vendors. They must move units, and therefore their products have features that appeal to our lazy networks and lax policies.
Possibly what they are referring to is the multitude of applications which tunnel traffic over innocuous ports. Almost anything can be tunnelled over http/https now - just take a look at "firewall friendly" SSL-VPNs which happily pass through proxies to connect an outside endpoint to the internal desktop PC. Even fairly lame stuff like gotomypc.com is getting harder to manage as it becomes more common. So the firewalls now have to do "deep inspection" to try to pick out and manage this crap being tunnelled, and the poor security administrator is being forced to take a stance where he has to permit everything and make some attempt to pick out the rubbish which is deeply hidden and probably even encrypted. Not surprisingly, plenty of vendors who sell the tunnelling technology ( like SSL VPNs ) now need to sell new firewalls which need "deep inspection" to manage the tunnels. Kerry -- Kerry Thompson, CCNA CISSP Information Systems Security Consultant http://www.crypt.gen.nz _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- so much for "deny all" Tina Bird (Jun 10)
- Re: so much for "deny all" Dave Piscitello (Jun 13)
- RE: so much for "deny all" Tina Bird (Jun 15)
- RE: so much for "deny all" Dave Piscitello (Jun 15)
- RE: so much for "deny all" Tina Bird (Jun 15)
- Re: so much for "deny all" Adam Jones (Jun 13)
- RE: so much for "deny all" Paul Melson (Jun 16)
- RE: so much for "deny all" Kerry Thompson (Jun 17)
- RE: so much for "deny all" Paul Melson (Jun 16)
- Re: so much for "deny all" Rob Hughes (Jun 15)
- Re: so much for "deny all" Dave Piscitello (Jun 13)