> > Other security features in an Enterprise Class firewall; > > -Inside source based NAT, reinforces secure traffic flow by allowing > outside to inside flows based on > > configured translations and allowed security policies > > Terrible from an availability perspective, troubleshooting perspective, > too. Just dumb, dumb, dumb - NATed servers fall over at the drop of a hat > due to the NAT device choking. >
>>>How is that possible with inside source NATing? You must mean a misconfigured >>> outside source NATing > > > -TCP sequence number randomization (to prevent TCP seq number > guessing) > > Server IP stack does this itself just fine. > >>> What server randomizes TCP sequence numbers? servers randomize initial >>> sequence numbers!, regardless, the FW will accept and randomize again making >>> sure the endpoints get the correct TCP seq numbers, again more secure > > -Intrusion Detection and Prevention (subset of most common signatures) > > recognize scanning attempts and mitigate > > recognize common attacks and mitigate > > Snake-oil. > >>> Preventing attacks on internal networks or servers, snake oil, LOL >>> FWs typically offer a subset of potential IDS signatures, dedicated appliances >>> or systems offer a higher level of prevention > > > -Deep packet inspection (application aware inspection for common > network services) > > Terrible from an availability perspective, snake-oil. > >>> Inspecting application header and data, it will identify/prevent some application >>>attacks? how does that reduce availability? > > > - Policy based tools for custom traffic classification and filtering > > Can be done statelessly, no firewall required. > >>> True, never said this was done statefully, what device are you using to perform >>>this function? >>>no firewall required, but part of distributed defense in depth strategy and can be >>>done by a firewall , again a secure architecture is the goal not just a firewall > > > -Layer 3 segmentation (creates inspection and enforcement points) > > Doesn't require a firewall. > >>> No, but segmentation and multiple security enforcements points are essential for >>> a secure architecture, > > > -Full/Partial Proxy services with authentication > > If needed, can be better handled by transparent reverse-proxy farms; auth > handled on the servers themselves. > >>>The servers are doing everything in your model, must be quite some servers, are >>>we talking firewalls in general of are we talking datacenter, all companies do not >>>have access to reverse-proxy farms > > > - Alarm/Logging capabilities providing info on potential attacks > > -etc ...... > > NetFlow from the network infrastructure, the OS/apps/services on the server > itself do this, etc. > >>> not the same thing , you will need to analyze the data, Netflow does not perform >>> data analysis, you will need to develop/buy something else for that > > > > > Statefull inspection further enhances the security capabilities of a > firewall. > > No, it doesn't, not in front of servers where there's no state to inspect, > in the first place, given that every incoming packet is unsolicited. > >>> every packet is not unsolicited, webserver to database request ? DB synch >>>between datacenters, administration, remote services, etc ,,, there is no state for >>>the services you are serving, true, but what about the rest of the network services >>>potentially available and their exploits? > > > You may choose not to use a firewall or implement a sound security > posture utilizing the "Defense in Depth" philosophy, however you chances of > being compromised are dramatically increased. > > Choosing not to make the mistake of putting a useless, counterproductive > firewall in front of a server doesn't mean one isn't employing a sound, > multi-faceted opsec strategy. > >>> didn't say it did, I stated several times that a secure architecture should be the >>>goal not just adding a FW, did you fail to read or respond to that part? > > I know that all the firewall propaganda denoted above is repeated > endlessly, ad nauseam, in the Confused Information Systems Security > Professional self-study comic books, but I've found that a bit of real-world > operational experience serves as a wonderful antidote, heh. > >>> Again, a firewall has it's place just like any other device in the network, defense in >>> depth is a prudent philosophy to reduce the chances of compromise, it does not >>>eliminate it nor does any architecture you can think of, period > > mike > > ----------------------------------------------------------------------- > Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> > > Injustice is relatively easy to bear; what stings is justice. > > -- H.L. Mencken > > > > >