On Jan 10, 2010, at 1:32 AM, Dobbins, Roland wrote:
On Jan 10, 2010, at 1:22 PM, harbor235 wrote:
Again, a firewall has it's place just like any other device in the network, defense in >>> depth is a prudent philosophy to reduce the chances of compromise, it does not >>>eliminate it nor does any architecture you can think of, period
Bah, I was trying not to get sucked into the roaring vortex of this thread, but I think that folks are ignoring one of the primary benefits of firewalls: Quite simply, its this: I can now place a checkbox in the "Is there a firewall?" column of the <insert random acronym here> audit. While it may be fun to rail against the stupidity, after the Nth time that you have had the "This is in no way going to help improves security and will actually decrease it" argument, you realize that, if you want to get real work done, you need to choose your battles. In may cases the auditor knows that the firewall may not make thing better, and may make them worse, but he has a set of guidelines that the contracting company he is working for dictates, and he needs to see the widget to sign on the dotted line. I have had auditors cheerfully point out that the way that their specific requirement is worded, a commodity CPE device plugged into port somewhere will fully satisfy their requirements and did I know that BestBuy has them on sale this week? W
What a ridiculous statement - of course it does.
*The place of the stateful firewall is in front of clients, not servers*.
I'm not going to continue the unequal contest of pitting real-world operational experience against Confused Information Systems Security Professional brainwashing. One can spout all the buzzwords and catchphrases one wishes, but at the end of the day, it's all dead wrong - and anyone naive enough to fall for it is setting himself up for a world of hurt.
----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken