Re: Evolution of Firewalls

[Dave Piscitello <dave () corecom com>]

At 03:14 PM 3/8/2004 -0500, Frederick M Avolio wrote:
> At 02:37 PM 3/8/2004 -0500, Dave Piscitello wrote:
> > Lots of names for the same security functionality: examining application 
> > headers and application data streams for attacks and blocking them. You 
> > can and some vendors still do this using proxy architecture, while some 
> > use the same stateful packet inspecting methods they used to examine 
> > network protocol headers.
>
> well, yeah but not really. That is the problem. All different names for 
> slightly different ways of doing things.  The the devil is in the 
> difference. But some people have lost those differences in the marketing 
> noise, if they ever understood the differences.

Emphasis on "functionality" not implementation, and "inspect all things 
that ought to have their own port # but are now tunneled through port 
80"(primarily, not exclusively). May the "don't proliferate port number 
assignment" gods forgive what I suggest here but I honestly don't think we 
make life any easier by creating one gaping hole than several dozen 
possibly containable ones.

> > The most secure firewall? Probably has less to do with proxy vs. stateful 
> > inspection than policy, implementation/configuration, and the admin at 
> > the policy console.
>
> I disagree. Both are important. The greatest policy then only gives you as 
> much security as your security mechanisms will allow.

Again, emphasis. I am saying that I'd rather have a competent staffer 
administering my stateful inspection firewall than one less competent 
administering my proxy.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards