> On 7 Jun 2005 at 9:41, Tina Bird wrote:
> > >From the TechTarget coverage of the Gartner Security Summit this
> > >week:

> >=20
> > "Next generation firewalls that do deep-packet inspections from
> > vendors like Juniper Networks, Check Point and Fortinet employ a
> > heuristics engine and allow all network traffic and behavior, except
> > those which policy says it must block. Most enterprises, however,
> > refresh their firewall purchases on a three- to five-year cycle and
> > that makes it challenging to synch new features."

> From: Dave Piscitello [mailto:dave@corecom.com]=20
> This is very good publicity for firewall vendors not in the list who=20
> provide a default "DENY ALL" in policy configuration. I'll enjoy=20
> tormenting friends at these companies over this:-)

I guess that's one way to look at it. I'd like to think that folks at =
companies will be cringing, and refusing to pay for multi-martini =
(if anyone in this politically correct time still indulges in =
lunches). Although I wonder how many of the companies that ship with a =
all" config will now be accused of being out of touch with the real =
or at least the real world as defined by Gartner.

> But the 2nd statement is very odd, don't you think? Not only is it=20
> remarkably difficult to parse, but it flies in the face of (my)=20
> experience.
> Taking the source with a grain of salt, I find it hard to believe=20
> that most enterprises change security vendors every five years.=20

Well, the company at which I did my first firewall install replaced the
whole shebang within a year of my leaving, claiming that my rock-solid
Sidewinder infrastructure was too hard to manage, and putting in PIXen
instead. But I agree that *most* places don't do that. We're generally
content with the devil we know.

> Perhaps 100% of my clients buck this trend. Upgrades, yes.=20
> Forklifting firewalls? I have yet to see this except in circumstances=20
> where the prior firewall failed pitifully in enforcing policy.

I have seen several organizations replace firewall or VPN architectures, =
almost never for a technical reason - almost always for political or
financial ones.

firewall-wizards mailing list