Firewall Wizards mailing list archives

Re: State of security technology for the enterprise

From: "Chris Hughes" <chughes () l8c com>
Date: Thu, 30 Apr 2009 12:27:33 -0400

Point taken on chasing new technologies, however, with new methods of
controlling access and thwarting attacks I stand to gain advantage where I
am currently vulnerable.  

Good point on zones/architecture.  Since I was responsible for building the
network I was sure to take security into account.  The problem with internal
firewalling was the vast array of services offered and the churn of
development and implementation.  Development was hampered by programmers who
were not network aware.  New services are continually being brought online.
I am a team of one for security and there are nearly 150 servers and nearly
200 services riding on them.  This is an organizational issue I don't expect
to be resolved here.  However it's worth mentioning when you consider UTM
could potentially make it all more manageable for folks in the same boat as
me.

I share your thoughts on the vendors.  So far Juniper is my favorite.  I
just looked at Fortinet today in a webex and it looks ok. (Fortigate)


-------------------------------------------------------------------
From: "miedaner" <miedaner () twcny rr com>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: "Firewall Wizards Security Mailing List" 

The underlying architecture is very important to providing control.

Build in security zones, dmz, transit, low to high zones.

From layer 1-7 as you move from low to high zones controls should increase

and each zone should be setup to detect problems.

Less is more, permit few, deny all.

You can buy all the gadgets you want but in the arms race that has been
occuring for as long as I can remember, you will never ever be ahead of the
enemy, or clueless user, unless you don't allow it by default.
  That being said my experience

  Cisco is weak

  Love Netscreen/Juniper

  ISS is expensive and since IBM took them over is getting weaker

  Palo Alto seems promising

  Sidewinder is good

  DPI is a marketing term to me

   -----Original Message-----
  From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Chris
Hughes
  Sent: Wednesday, April 29, 2009 9:31 AM
  To: firewall-wizards () listserv icsalabs com
  Subject: [fw-wiz] State of security technology for the enterprise


  Hello all.



  I am currently developing a strategy for evolving the security for my
enterprise network.  Currently I protect the core network (servers and
services) and internet with inline sensors, use HIDS on all client machines
(which performs event correlation with the inline sensors) content
filtering, use of AV on all hosts, SSL and IPSec VPN and spamfiltering on
the edge.



  In reviewing the latest offerings I see that there are new and potentially
immature technologies that may be the direction I need to look.  These
include:



  DPI (deep packet inspection) firewalls

  Content filtering on the firewall

  SSL proxying with decryption for filtering abuse and data leak

  DLP - related to ssl filtering but with the addition of protecting data at
rest from leaving the network.

  VMWARE/Hypervisor sensors to protect my virtual infrastructure



  The vendors offerings I am reviewing include:



  Cisco

  ISS

  Juniper

  Fortinet

  Palo Alto



  If I omitted serious contenders from my list please bring them to my
attention.  I also have a feature matrix I am willing to share if anyone is
interested.



  Cisco has point product solutions for the most part but Juniper, Palo Alto
and Fortinet are combining some of the new abilities into a single
appliance.



  I am looking for conversation on the newer technologies as well as
thoughts of combining them on a single albeit clustered/HA appliance versus
separate solutions for each function.  Another thing I wrestle with is
single vendor solutions versus hybrid solution that offers some dioversity
and a system of checks and balances.



  Of particular interest is DPI.  From what I read this will be a major
advance that really grants security admins control at the firewall that they
never had before.



  Please share your thoughts.



  Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/200904
29/1749774d/attachment.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 36, Issue 39
************************************************

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

State of security technology for the enterprise Chris Hughes (Apr 29)
- Re: State of security technology for the enterprise ArkanoiD (Apr 29)
- Re: State of security technology for the enterprise miedaner (Apr 29)
  - Re: State of security technology for the enterprise Marcin Antkiewicz (Apr 30)
- <Possible follow-ups>
- Re: State of security technology for the enterprise Chris Hughes (Apr 30)
  - Re: State of security technology for the enterprise Paul D. Robertson (Apr 30)
    - Re: State of security technology for the enterprise Marcus J. Ranum (Apr 30)
    - Re: State of security technology for the enterprise Paul D. Robertson (Apr 30)
    - Re: State of security technology for the enterprise Brian Loe (Apr 30)
- Re: State of security technology for the enterprise Chris Hughes (Apr 30)
  - Re: State of security technology for the enterprise Paul D. Robertson (Apr 30)