Firewall Wizards mailing list archives

Re: Firewalls that generate new packets..

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Thu, 29 Nov 2007 09:19:44 +0100

Hi, Darren,

So what you're really comparing is the default configuration
of packet based firewalls with proxy based firewalls.


Well, yes.

When engaged in selling Secure Computing gear, I always
put an emphasis on the "more reasonable default configuration"
and the fact that it's more complicated if not impossible to do
something stupid by accident.
I also take my time to carefully explain the concept of egress
filtering.

E.g. does PIX still have these implied rules that say: if I
configure port X from here to there, this automatically implies
the same access to all interfaces with a lower security level than
'there'? This is the case in 6.x - now, whoever at Cisco came
up with this concept should be shot.

I have not looked at 7.x or ASA, yet.

Kind regards,

Patrick M. Hausen
Leiter Netzwerke und Sicherheit

P.S. I know that PIX access lists do not implement stupid things like
     the above, but PIX Device Manager does. Now, which is a customer
     with limited time and knowledge more likely to use?
-- 
punkt.de GmbH * Vorholzstr. 25 * 76137 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info () punkt de       http://www.punkt.de
Gf: Jürgen Egeling      AG Mannheim 108285
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Firewalls that generate new packets.., (continued)
- - - Re: Firewalls that generate new packets.. Anton Chuvakin (Nov 28)
    - Re: Firewalls that generate new packets.. jason (Nov 27)
    - Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
    - Re: Firewalls that generate new packets.. Timothy Shea (Nov 28)
    - Re: Firewalls that generate new packets.. Paul Melson (Nov 28)
    - Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 28)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
    - Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 28)
    - Re: Firewalls that generate new packets.. Darren Reed (Nov 28)
    - Re: Firewalls that generate new packets.. Patrick M. Hausen (Nov 29)
    - Re: Firewalls that generate new packets.. lordchariot (Nov 29)
  - Re: Firewalls that generate new packets.. Paul Melson (Nov 25)
    - Re: Firewalls that generate new packets.. Cat Okita (Nov 26)
    - Re: Firewalls that generate new packets.. Chris Blask (Nov 26)
    - Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 26)
    - Re: Firewalls that generate new packets.. Darden, Patrick S. (Nov 26)
    - Re: Firewalls that generate new packets.. Bill McGee (bam) (Nov 26)
    - Message not available
    - Re: Firewalls that generate new packets.. Marcus J. Ranum (Nov 26)
    - Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 26)
    - Re: Firewalls that generate new packets.. Paul D. Robertson (Nov 26)

(Thread continues...)