This is a discussion on Re: [fw-wiz] How to automate ... Correct Network Designs... - Firewalls ; Jim Seymour wrote: > "Marcus J. Ranum" wrote: > [snip] >> The "take whole classes of problems off the table" approach >> is what engineers consider elegance of design. It's that kind >> of elegance that is mostly lacking in ...
Jim Seymour wrote:
> "Marcus J. Ranum"
>> The "take whole classes of problems off the table" approach
>> is what engineers consider elegance of design. It's that kind
>> of elegance that is mostly lacking in how we do operating
>> systems and security system design, today.
> There is a structured systems design book I have (I think that's the
> one, anyway) that recommends input be conditioned as early in the data
> flow as possible so it's done and over with, and you can not have to
> worry about unconditioned data floating around in the system, being
> (similarly) conditioned in multiple places (code redundancy), etc.
> Similar concept.
"Data flow as early as possible" could be problematic if your network isn't/wasn't designed properly. What kind of network are you talking about, a structured network where functions are layered (core, distribution, access) properly? A collapsed core? Generally at the Core layer you wouldn't want to slow down the network with filtering. It being the core layer, data has to get in fast and pass out fast. Distribution and access, sure. But to state "data flow as early as possible" is partially incorrect. If your network wasn't designed properly, sure. If your routers have enough memory, sure, if you want more rules atop more rules, sure. However, if your firewall can't perform or is getting choked then you should seek a better appliance/program.
Here is something I found a bit humorous about a month ago... I have a client (I maintain their telcom side of things (VoIP)). They have enterprise Firewall-1. The whole kit and kaboodle cost 90k last year. The vendor they purchased it from maintained it. That vendor lost the "certified" person to manage it... (I never knew one had to be CCSA/CCSE certified to maintain FW1 *snicker*). The staff at my client did not know how to manage FW1. Their solution? They sought to purchase a Cisco ASA5xxx series for something like 13k. My suggestion? After explaining to them they'd end up losing out by dumping FW1, going through the whole ROI with my client's senior management, going through the pros and cons... Turns out ... You guessed it, they stood with FW1, found a CP platinum partner to manage it, and that was the end of it. The reasoning they wanted to go with Cisco (outside of someone's notion of playing with something new) was, it was slow, too many rules, etc... After looking a
t their ruleset, doing a network analysis, rules were simplified, its use as a firewall was given to... The router as it should be... And guess what? Everyone is happy. -- Well at least everyone except the guy who wanted his new toy.
So while being slightly offtopic (hey I have to humor myself somehow), I don't believe filtering "straight from the top" is applicable to everyone. No two networks are the same.
sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government.
firewall-wizards mailing list