Firewall Wizards mailing list archives

Re: Firewalls that generate new packets..

From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 26 Nov 2007 09:44:57 -0500

Isn't that kind of amazing? People look at these "stateful firewalls" as

if they're somehow

doing something IMPORTANT but they're basically a router with

"established" and a kind of

"synthetic established" for UDP.  People, that's barely a security device

at all - 99% of what

you're getting is the "firewall" sticker on the front.


You're overlooking the real value of state tables, I think.  The real
advantage isn't technical, it's cognitive.  If I don't have to think about,
decide on, classify, and manage all ends of the traffic crossing my border,
my life is a whole lot easier.  A stateful firewall lets you think about
your policy in terms of published services; "I let the whole Internet
connect to this web server and that mail server, but nothing else.  And then
whatever our people inside want to do."

Call it cynical.  Call it misguided.  Call it naive.  Call it stupid.  But
it saves time and energy which translates to money.  And it seems to be
where the equilibrium for the firewall security vs. admin overhead equation
is, or at least has been in recent history.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewalls that generate new packets.., (continued)
- Re: Firewalls that generate new packets.. pkc_mls (Nov 19)
- Re: Firewalls that generate new packets.. lordchariot (Nov 21)
  - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 23)
- Re: Firewalls that generate new packets.. jdgorin (Nov 21)
  - Re: Firewalls that generate new packets.. Dave Piscitello (Nov 21)
- Re: Firewalls that generate new packets.. jdgorin (Nov 21)
- Re: Firewalls that generate new packets.. Bill McGee (bam) (Nov 25)
  - Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 25)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 25)
    - Re: Firewalls that generate new packets.. Marcin Antkiewicz (Nov 26)
    - Re: Firewalls that generate new packets.. Paul Melson (Nov 26)
    - Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
    - Re: Firewalls that generate new packets.. Jim Seymour (Nov 26)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 28)
    - Re: Firewalls that generate new packets.. Paul Melson (Nov 27)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 27)
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 27)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 27)

(Thread continues...)