Firewall Wizards mailing list archives
RE: The Death Of A Firewall
From: <hugh_fraser () dofasco ca>
Date: Thu, 27 Oct 2005 16:31:21 -0400
There's a lot in the article that's left to speculation. I admire their internal network design; multiple security zones with clearly-defined services separated by application-layer firewalls, network ACLs to control traffic flows. Being able to accurately profile traffic traversing the network allows strict firewall rules and network ACLs, and greatly enhances the IDS or IPS ability to identify bogus traffic. He's also got an compartmentalized network that may allow him to contain a virus or worm, preventing, for instance, a workstation infected with a virus from spreading it to the core business servers. It's not clear what he's done with the clients. They're running a hardened OS, with the latest AV and presumably a firewall. He hasn't said they've got cart-blanche to run anything they want; perhaps the clients are locked down to a selection of approved apps, but they have broader selection than most of us would. With all the effort they've put in to the rest of their network, I have to assume that they've recognized the threats from the workstation and have instrumented and profiled them as well as they have elsewhere. Unfortunately, this isn't usually the case. It's the exceptions that get you. The users with extra rights that turn off the firewall, the admin people who've opened up some extra inbound ports in their firewall to allow a "special" app to work, the machines that for some reason didn't get the latest AV signature. And I can just imagine the complaints from our network group as their switches (which we rely on for traffic flow management, not security) start to see some of the pounding our perimeter firewall receives. So it's tough to understand why, with all the effort they've put in to hardening the interior, he would resist adding the incremental cost of one more firewall to protect the perimeter and potentially have the best of all worlds (a crunchy exterior and interior), unless it's really is for "Taking that crutch away has forced us to rethink our security model". I'd be inclined to find another way to sell that lesson. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Pedski Sent: Monday, October 17, 2005 9:30 PM To: James Paterson Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] The Death Of A Firewall James Paterson wrote:
http://www.securitypipeline.com/165700439 Be interesting to get the communities take on this article. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This is a model that has holes... router acl are not statefull. they seem to have some secutiy by means of DMZ the managemnt overhead of this is high..sometimes is not that easy deploying patches if the vulnerabilty came in the night...meaning if you are blocking everything with a firewall you bought yourself some time....in this case they are open ...the term raise their immunity to exists in hashers condition sounds really nice...but often attacks or worms come like a thief in the night...... there is something flawed with this architecture. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The Death Of A Firewall hugh_fraser (Nov 02)
- <Possible follow-ups>
- Re: The Death Of A Firewall sai (Nov 02)
- RE: The Death Of A Firewall Joe (Nov 17)