I see your side Cameron.
-Hammer-
"I was a normal American nerd"
-Jack Herer
On 11/15/2011 09:20 AM, Cameron Byrne wrote:
On Nov 15, 2011 7:09 AM, "-Hammer-" <bhmc...@gmail.com
<mailto:bhmc...@gmail.com>> wrote:
>
> Guys,
> Everyone is complaining about whether a FW serves its purpose or
not. Take a step back. Security is about layers. Router ACLs to filter
whitenoise. FW ACLs to filter more. L7 (application) FWs to inspect
HTTP payload. Patch management at the OS and Application layer on the
server. Heuristics analyzing strategically placed SPAN feeds. The list
goes on depending upon the size of your enterprise.
>
I would say security is about stopping threats , not layering in
technology and tools. Granted, layer is a good idea, throwing
everything including the kitchen sink at a problem will result in just
a larger problem.
> I don't think in a large environment you can avoid "complexity"
these days. What you have to succeed at is managing that complexity.
And L3 FWs have a very important purpose. They filter garbage. You
focus your IDS/IPS on what the FW is allowing. It's more than a screen
door. But yes, it's LESS than a true vault door. It's all about
mitigating the risk. You'll never be 100% full proof.
>
Large environments have to force simplicity to combat the natural ebb
of complexity. The largest operators live by one rule , KISS.
L3 network fw are an attack vector and single point of failure.
But, I think this thread is not changing anyone's mind at this point.
> -Hammer-
>
> "I was a normal American nerd"
> -Jack Herer
>
>
>
>
> On 11/15/2011 08:56 AM, William Herrin wrote:
>>
>> On Tue, Nov 15, 2011 at 9:17 AM,<valdis.kletni...@vt.edu
<mailto:valdis.kletni...@vt.edu>> wrote:
>>
>>>
>>> And this is totally overlooking the fact that the vast majority of
*actual*
>>> attacks these days are web-based drive-bys and similar things that
most
>>> firewalls are configured to pass through.
>>>
>>
>> Valdis,
>>
>> A firewall's job is to prevent the success of ACTIVE attack vectors
>> against your network. If your firewall successfully restricts
>> attackers to passive attack vectors (drive-by downloads) and social
>> engineering vectors then it has done everything reasonably expected of
>> it. Those other parts of the overall network security picture are
>> dealt with elsewhere in system security apparatus. So it's no mistake
>> than in a discussion of firewalls those two attack vectors do not
>> feature prominently.
>>
>> Regards,
>> Bill Herrin
>>
>>
>>
>>