I fear when I read Jen's answer that many others also would have failed to
*get* what Marcus wrote. He didn't say anything about needing or wanting or
requiring absolute security. He didn't say that putting something in place
to make your security better, even if not perfect, was a bad thing. (I'm
ignoring Don Hoffmano's answer because I assume he was joking and if not...
well, I'm embarrassed for him.)
This is what I think I read, and I recommmend people read it again:
- more than ever before, firewalls are considered by many to be a magic
device, a talasman, a provider of security just by its presence.
- if the firewall is potentially highly granular like many proxy based
firewalls
are and stateful inspection firewalls *could be*, but all you are doing
is plugging or filtering based on source and destination without doing
any processing of the data, why imflict the overhead on your users --
use a packet filter.
- as long as you insist on doing things in this order: determine the business
needs (really "wants") without doing a risk assessment and without
pushing back,
then develop a "security policy" which allows the desired services, and then
configuring your firewall with holes to allow those services, you are
using the
firewall as a talasman... you may as well not have one.
- While many firewalls do provide logging, most people never look at the
logs. Again,
protection by talasman. (I don't know if Marcus said this, but he should
have if he didn't. :-))
Firewall vendors are giving people what they will buy. They have an
obligation to their stockholders to do that. And the customers are happy.
There is more discussion about a firewall vendor's dropping support of an
operating system than there is about whether they do things as securely as
they could. The questions here are rarely, "Can I do thus-and-so securely?"
and more often "How can I get thus-and-so through my firewall?"
On the other hand the situation -- from the 30,000 foot level -- is not
much different than it was 5 years ago. A small set of people and
organizations are well protected and the rest just think they are.
Fred
Avolio Consulting
16228 Frederick Road, PO Box 609, Lisbon, MD 21765
410-309-6910 (voice) 410-309-6911 (fax)
http://www.avolio.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
