This is a discussion on RE: [fw-wiz] so much for "deny all" - Firewalls ; > On 7 Jun 2005 at 9:41, Tina Bird wrote: >=20 > > >From the TechTarget coverage of the Gartner Security Summit this > > >week: > >=20 > > "Next generation firewalls that do deep-packet inspections from > > ...
> On 7 Jun 2005 at 9:41, Tina Bird wrote:
> > >From the TechTarget coverage of the Gartner Security Summit this
> > >week:
> > "Next generation firewalls that do deep-packet inspections from
> > vendors like Juniper Networks, Check Point and Fortinet employ a
> > heuristics engine and allow all network traffic and behavior, except
> > those which policy says it must block. Most enterprises, however,
> > refresh their firewall purchases on a three- to five-year cycle and
> > that makes it challenging to synch new features."
> From: Dave Piscitello [mailto:firstname.lastname@example.org]=20
> This is very good publicity for firewall vendors not in the list who=20
> provide a default "DENY ALL" in policy configuration. I'll enjoy=20
> tormenting friends at these companies over this:-)
I guess that's one way to look at it. I'd like to think that folks at =
companies will be cringing, and refusing to pay for multi-martini =
(if anyone in this politically correct time still indulges in =
lunches). Although I wonder how many of the companies that ship with a =
all" config will now be accused of being out of touch with the real =
or at least the real world as defined by Gartner.
> But the 2nd statement is very odd, don't you think? Not only is it=20
> remarkably difficult to parse, but it flies in the face of (my)=20
> Taking the source with a grain of salt, I find it hard to believe=20
> that most enterprises change security vendors every five years.=20
Well, the company at which I did my first firewall install replaced the
whole shebang within a year of my leaving, claiming that my rock-solid
Sidewinder infrastructure was too hard to manage, and putting in PIXen
instead. But I agree that *most* places don't do that. We're generally
content with the devil we know.
> Perhaps 100% of my clients buck this trend. Upgrades, yes.=20
> Forklifting firewalls? I have yet to see this except in circumstances=20
> where the prior firewall failed pitifully in enforcing policy.
I have seen several organizations replace firewall or VPN architectures, =
almost never for a technical reason - almost always for political or
firewall-wizards mailing list