Re: How to automate ... Correct Network Designs...

["J. Oquendo" <sil () infiltrated net>]

Jim Seymour wrote:
> "Marcus J. Ranum" <mjr () ranum com> wrote:
> [snip]
> > The "take whole classes of problems off the table" approach
> > is what engineers consider elegance of design. It's that kind
> > of elegance that is mostly lacking in how we do operating
> > systems and security system design, today.
>
> There is a structured systems design book I have (I think that's the
> one, anyway) that recommends input be conditioned as early in the data
> flow as possible so it's done and over with, and you can not have to
> worry about unconditioned data floating around in the system, being
> (similarly) conditioned in multiple places (code redundancy), etc.
> Similar concept.
>
> Jim

"Data flow as early as possible" could be problematic if your network isn't/wasn't designed properly. What kind of 
network are you talking about, a structured network where functions are layered (core, distribution, access) properly? 
A collapsed core? Generally at the Core layer you wouldn't want to slow down the network with filtering. It being the 
core layer, data has to get in fast and pass out fast. Distribution and access, sure. But to state "data flow as early 
as possible" is partially incorrect. If your network wasn't designed properly, sure. If your routers have enough 
memory, sure, if you want more rules atop more rules, sure. However, if your firewall can't perform or is getting 
choked then you should seek a better appliance/program.

Here is something I found a bit humorous about a month ago... I have a client (I maintain their telcom side of things 
(VoIP)). They have enterprise Firewall-1. The whole kit and kaboodle cost 90k last year. The vendor they purchased it 
from maintained it. That vendor lost the "certified" person to manage it... (I never knew one had to be CCSA/CCSE 
certified to maintain FW1 *snicker*). The staff at my client did not know how to manage FW1. Their solution? They 
sought to purchase a Cisco ASA5xxx series for something like 13k. My suggestion? After explaining to them they'd end up 
losing out by dumping FW1, going through the whole ROI with my client's senior management, going through the pros and 
cons... Turns out ... You guessed it, they stood with FW1, found a CP platinum partner to manage it, and that was the 
end of it. The reasoning they wanted to go with Cisco (outside of someone's notion of playing with something new) was, 
it was slow, too many rules, etc... After looking a
 t their ruleset, doing a network analysis, rules were simplified, its use as a firewall was given to... The router as 
it should be... And guess what? Everyone is happy. -- Well at least everyone except the guy who wanted his new toy.

So while being slightly offtopic (hey I have to humor myself somehow), I don't believe  filtering "straight from the 
top" is applicable to everyone. No two networks are the same.

-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net 

The happiness of society is the end of government.
John Adams


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards