Re: How automate firewall tests

["Marcus J. Ranum" <mjr () ranum com>]

Chris Byrd wrote:
> I guess the question then is, what is the solution?

Oh, sheesh, it's not enough for you that I help identify the problem,
you want me to take another stab at solving it?!? My last attempt
wasn't very popular or successful; I'm discouraged.

> Defense-in-depth, compartmentalization, and diligent
> patching all help, but surely there has got to be a way to build a
> better mouse trap - err - firewall.

Nope!!!

Security is a complexity problem. Software is too complex to
understand the ramifications of its combinations, when you toss
in a hostile actor. The "solution" - if there is one - is not to add
more stuff, but rather to take stuff away. If you accept my
argument that security is a complexity problem, then it follows
logically that ADDING more stuff (firewalls, IPS, autopatching,
etc, etc) is actually going to make things worse in the long
run, rather than better. But: define "worse" - it's going to make
a lot of money for a lot of people.

> What about the handful of L7 firewalls out there?  Sidewinder and the
> like?  Don't they manage to keep up on fast links?  Can you move the
> processing into FPGAs or similar?

I think Secure Computing has been pretty effectively rolling the
layer-7 technology into their portfolio. At this point they're the
remaining vendor playing hard in that space.

> Its not that I want a silver bullet in a firewall, just that I want it
> to do more than just be a hunk of metal in line.

Awww, c'mon - you've got _REGEXPS_ in your firewall, now, what
MORE do you NEED?  *snicker*

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards