There's a lot in the article that's left to speculation. I admire their
internal network design; multiple security zones with clearly-defined
services separated by application-layer firewalls, network ACLs to
control traffic flows. Being able to accurately profile traffic
traversing the network allows strict firewall rules and network ACLs,
and greatly enhances the IDS or IPS ability to identify bogus traffic.
He's also got an compartmentalized network that may allow him to contain
a virus or worm, preventing, for instance, a workstation infected with a
virus from spreading it to the core business servers.

It's not clear what he's done with the clients. They're running a
hardened OS, with the latest AV and presumably a firewall. He hasn't
said they've got cart-blanche to run anything they want; perhaps the
clients are locked down to a selection of approved apps, but they have
broader selection than most of us would. With all the effort they've put
in to the rest of their network, I have to assume that they've
recognized the threats from the workstation and have instrumented and
profiled them as well as they have elsewhere.

Unfortunately, this isn't usually the case. It's the exceptions that get
you. The users with extra rights that turn off the firewall, the admin
people who've opened up some extra inbound ports in their firewall to
allow a "special" app to work, the machines that for some reason didn't
get the latest AV signature.

And I can just imagine the complaints from our network group as their
switches (which we rely on for traffic flow management, not security)
start to see some of the pounding our perimeter firewall receives.

So it's tough to understand why, with all the effort they've put in to
hardening the interior, he would resist adding the incremental cost of
one more firewall to protect the perimeter and potentially have the best
of all worlds (a crunchy exterior and interior), unless it's really is
for "Taking that crutch away has forced us to rethink our security
model".

I'd be inclined to find another way to sell that lesson.

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Pedski
Sent: Monday, October 17, 2005 9:30 PM
To: James Paterson
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The Death Of A Firewall


James Paterson wrote:

>http://www.securitypipeline.com/165700439
>
>Be interesting to get the communities take on this article.
>
>_______________________________________________
>firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/li...rewall-wizards
>
> =20
>

This is a model that has holes...
router acl are not statefull.
they seem to have some secutiy by means of DMZ
the managemnt overhead of this is high..sometimes is not that easy=20
deploying patches if the vulnerabilty came in the night...meaning if you

are blocking everything with a firewall you bought yourself some=20
time....in this case they are open ...the term raise their immunity to=20
exists in hashers condition sounds really nice...but often attacks or=20
worms come like a thief in the night......

there is something flawed with this architecture.
_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards