Firewall Wizards mailing list archives
Re: Firewall bake-off?
From: "Jim MacLeod" <jmacleod () gmail com>
Date: Mon, 19 Mar 2007 13:03:30 -0700
On 3/19/07, Marcus J. Ranum <mjr () ranum com> wrote:
[...] if someone starts talking about PPS as a firewall benchmark, they may as well hold up a big sign that reads: "I DO NOT UNDERSTAND WHAT A FIREWALL DOES"
Meaning no disrespect, it must also be stated that many companies have a business need for their networks to be both Secure and Fast. I am reminded of the argument that Telnet is a terrible protocol, because it has a huge amount of protocol overhead per byte of payload. The protocol MUST operate that way to provide rapid user feedback. Everything has its strengths and weaknesses. Similarly, a layer 7 proxy does not provide any more security than a layer 4 stateful packet filter - for a given protocol - if the layer 7 element does not enforce rules for that protocol. My favorite example is ssh: port forwarding allows a lot of sins to be hidden from centralized access control, but "it's encrypted, so it must be secure." (Yes, there are ssh proxies that can address this, but they're not a common feature in firewalls.) Anyone who focuses purely on speed in a firewall will arguably gain nothing, as any potential improvement in security is nullified by a false sense of confidence. Anyone who completely neglects speed in a firewall will arguably hurt their security posture by contributing to the perception that security slows down your network, thus encouraging end users - or even worse, CIOs - to attempt to bypass it. -Jim _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall bake-off? James Hampton (Mar 12)
- Re: Firewall bake-off? Carson Gaspar (Mar 13)
- Re: Firewall bake-off? James Hampton (Mar 14)
- Re: Firewall bake-off? joel l huebner (Mar 18)
- Re: Firewall bake-off? K K (Mar 18)
- Message not available
- Re: Firewall bake-off? Marcus J. Ranum (Mar 19)
- Re: Firewall bake-off? K K (Mar 19)
- Message not available
- Re: Firewall bake-off? Marcus J. Ranum (Mar 19)
- Re: Firewall bake-off? K K (Mar 18)
- Re: Firewall bake-off? Jim MacLeod (Mar 19)
- Message not available
- Re: Firewall bake-off? Marcus J. Ranum (Mar 19)
- Re: Firewall bake-off? Carric Dooley (Mar 22)
- Re: Firewall bake-off? Carson Gaspar (Mar 13)
- Re: Firewall bake-off? Carson Gaspar (Mar 21)
- Re: Firewall bake-off? Zachary Grafton (Mar 21)
- Re: Firewall bake-off? Jim MacLeod (Mar 21)
- Re: Firewall bake-off? Zachary Grafton (Mar 21)
- Re: Firewall bake-off? Patrick M. Hausen (Mar 21)
- Re: Firewall bake-off? K K (Mar 21)
- Re: Firewall bake-off? Patrick M. Hausen (Mar 22)