This is a discussion on Re: [fw-wiz] Firewalls that generate new packets.. - Firewalls ; Paul Melson wrote: > ... > >Not at all. My point is that the convenience of state tracking firewalls >translates directly into savings for the companies that use them. Because >without it, you must document and enforce policy for traffic ...
Paul Melson wrote:
>Not at all. My point is that the convenience of state tracking firewalls
>translates directly into savings for the companies that use them. Because
>without it, you must document and enforce policy for traffic on your network
>in both directions.
I suspect what you're comparing is the ease of configuration.
If you're not documenting and enforcing a policy for your network
traffic in both directions then I'm curious to know why you shouldn't
be put in the incompetant basket. Or to put it another way, if you
don't have a documented security policy then you don't have
anything to enforce with the firewall, so you may as well throw
the firewall away and let everyone run free!
Companies that have an Internet connection without having a
network security policy shouldn't be on the Internet!
>State tables allow your firewall to have a deny-all
>default inbound policy and an allow-all default outbound policy. They allow
>you to assume that the Internet cannot be trusted and that your internal
>network can be.
I don't see how this is any different to any other firewall.
>Of course these are flawed assumptions.
I'd encourage you to do more reading, buy some books (remember
those paper things?) and do more reading so that you're actually
knowledgable about the topic and thus don't need to make flawed
firewall-wizards mailing list