Firewall Wizards mailing list archives
Re: State of security technology for the enterprise
From: "Chris Hughes" <chughes () l8c com>
Date: Thu, 30 Apr 2009 12:27:33 -0400
Point taken on chasing new technologies, however, with new methods of controlling access and thwarting attacks I stand to gain advantage where I am currently vulnerable. Good point on zones/architecture. Since I was responsible for building the network I was sure to take security into account. The problem with internal firewalling was the vast array of services offered and the churn of development and implementation. Development was hampered by programmers who were not network aware. New services are continually being brought online. I am a team of one for security and there are nearly 150 servers and nearly 200 services riding on them. This is an organizational issue I don't expect to be resolved here. However it's worth mentioning when you consider UTM could potentially make it all more manageable for folks in the same boat as me. I share your thoughts on the vendors. So far Juniper is my favorite. I just looked at Fortinet today in a webex and it looks ok. (Fortigate) ------------------------------------------------------------------- From: "miedaner" <miedaner () twcny rr com> Subject: Re: [fw-wiz] State of security technology for the enterprise To: "Firewall Wizards Security Mailing List" The underlying architecture is very important to providing control. Build in security zones, dmz, transit, low to high zones.
From layer 1-7 as you move from low to high zones controls should increase
and each zone should be setup to detect problems. Less is more, permit few, deny all. You can buy all the gadgets you want but in the arms race that has been occuring for as long as I can remember, you will never ever be ahead of the enemy, or clueless user, unless you don't allow it by default. That being said my experience Cisco is weak Love Netscreen/Juniper ISS is expensive and since IBM took them over is getting weaker Palo Alto seems promising Sidewinder is good DPI is a marketing term to me -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Chris Hughes Sent: Wednesday, April 29, 2009 9:31 AM To: firewall-wizards () listserv icsalabs com Subject: [fw-wiz] State of security technology for the enterprise Hello all. I am currently developing a strategy for evolving the security for my enterprise network. Currently I protect the core network (servers and services) and internet with inline sensors, use HIDS on all client machines (which performs event correlation with the inline sensors) content filtering, use of AV on all hosts, SSL and IPSec VPN and spamfiltering on the edge. In reviewing the latest offerings I see that there are new and potentially immature technologies that may be the direction I need to look. These include: DPI (deep packet inspection) firewalls Content filtering on the firewall SSL proxying with decryption for filtering abuse and data leak DLP - related to ssl filtering but with the addition of protecting data at rest from leaving the network. VMWARE/Hypervisor sensors to protect my virtual infrastructure The vendors offerings I am reviewing include: Cisco ISS Juniper Fortinet Palo Alto If I omitted serious contenders from my list please bring them to my attention. I also have a feature matrix I am willing to share if anyone is interested. Cisco has point product solutions for the most part but Juniper, Palo Alto and Fortinet are combining some of the new abilities into a single appliance. I am looking for conversation on the newer technologies as well as thoughts of combining them on a single albeit clustered/HA appliance versus separate solutions for each function. Another thing I wrestle with is single vendor solutions versus hybrid solution that offers some dioversity and a system of checks and balances. Of particular interest is DPI. From what I read this will be a major advance that really grants security admins control at the firewall that they never had before. Please share your thoughts. Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/200904 29/1749774d/attachment.html> ------------------------------ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards End of firewall-wizards Digest, Vol 36, Issue 39 ************************************************ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- State of security technology for the enterprise Chris Hughes (Apr 29)
- Re: State of security technology for the enterprise ArkanoiD (Apr 29)
- Re: State of security technology for the enterprise miedaner (Apr 29)
- Re: State of security technology for the enterprise Marcin Antkiewicz (Apr 30)
- <Possible follow-ups>
- Re: State of security technology for the enterprise Chris Hughes (Apr 30)
- Re: State of security technology for the enterprise Paul D. Robertson (Apr 30)
- Re: State of security technology for the enterprise Marcus J. Ranum (Apr 30)
- Re: State of security technology for the enterprise Paul D. Robertson (Apr 30)
- Re: State of security technology for the enterprise Brian Loe (Apr 30)
- Re: State of security technology for the enterprise Paul D. Robertson (Apr 30)
- Re: State of security technology for the enterprise Paul D. Robertson (Apr 30)