For reference, here's the article link again:
http://www.securitypipeline.com/165700439

1) Life is a lot better with layer 3 switching. If you don't have that, however, it is not clear how one reaps the benefits being advocated by this article...even with the AV, tiered servers, application-layer firewalls, and PKI benefits listed. The original mind-set wasn't flawed; new technology allowed the same problems to be approached in a different fashion.
2) Not seeing anymore about the company where the author worked his magic, I can only assume that his application development staff has some of the same problems that I've witnessed the last 20 years or so. That is a) they are somewhat dense regarding how to develop secure networked applications, so b) the network folks have to build security into other areas so unsafe apps play well with others.
3) It isn't clear if the new network has multiple application layer firewalls or not. If it does, I don't see how the new network has improved much beyond network-layer firewalls. A significant protective burden (not to mention administrative burden to manage multiple systems) is still borne by firewalls. If it has only one, how true an application-layer firewall has been deployed? Email isn't ftp isn't ...
4) Clients in the clear? I can only assume the CM is better at his place of work than mine. Unless there is a complete prohibition on downloading/installing the tool de jour, I don't see how the security environment is improved. I'd also like to know a bit more about the PKI implementation: is this a single sign on environment? How do you protect the integrity of the certificate on corporate laptops? What level of effort was required to integrate PKI (if any) into the services his network supports?
5) It looks to me that the author works for a company that forced a default allow security policy on him to support AD...he made the best of a tough situation. I bet his monitoring capability employs a bunch of new people now.
:-)

My $0.02.


_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards