Firewall Wizards mailing list archives
Re: DISA eliminating firewalls
From: Tim Harris <tim () fbnservices us>
Date: Fri, 5 Jul 2013 09:21:27 -0700
I think it's a mistake to assert that something will never happen. I suspect that firewalls, per se, may disappear but the essential function will stay. The largest function that firewalls perform today is a coarse filtering of traffic. They eliminate the obvious bad traffic as well as traffic that is misdirected. I have no data on the percentage of traffic that never makes it through the firewall but suppose that it means the traffic behind the firewall is reduced by 20%. That reduces my cost because I need less bandwidth and less robust equipment. It also means I save on CPU cycles because that traffic is checked once at the perimeter rather than forcing every device to inspect it. This is why they still do ID checks at the door when entering a bar. On the other hand, you can drive without a license if you are willing to take the chance of getting caught and paying the penalty. I would argue that the next logical step in firewalls is a meta-firewall. Suppose that I have a large, distributed network with multiple firewalls and routers. I argue that a good firewall software ought to be able to treat that as a single administrative unit. I define a set of rules similarly to what I do now with my single firewall. The meta-firewall should be able to analyze my routing and switch configuration, determine the rule set that is appropriate to each individual device and push that out automatically. That way I don't have to go to each single firewall, define a set of rules, and hope that they are consistent and correct. The more points of management I have, the greater the opportunity for me to screw it up. By distributing the firewall function (which is what I suspect will really happen at DISA), as described in the article, there is a huge administrative challenge for which I don't think there is a good solution yet. Respectfully, Tim Harris -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of André Lima Sent: Thursday, July 04, 2013 11:27 AM To: firewall-wizards () listserv icsalabs com Subject: Re: [fw-wiz] DISA eliminating firewalls Firewalls will never and should never disappear. The reason is that multi-layer security systems are the best one can apply for any network. And by definition it means that one layer (e.g. firewall) will obviously not be enough, but nevertheless it is an essential part or the security system. And the reason I believe it won't disappear is that it gives us all some assurance. Just as the door in my house. If a great professional burgler wants to get something from our homes, the door will obviously not stop him. But that doesn't mean I'm willing to give up my door and just be in an open door home, because it does help in some situations (tipical strangers, or unwanted kids). I don't want to be inside and be worried that a drifting stranger might get inside and sleep in my bed while I'm away just because there was nothing to stop him. But if you're just implying that such system can be implemented, indeed that's possible. But that would be an end-to-end security system which is a nightmare to maintain. A firewall is centralized and even though we all know it's not enough to mitigate all attacks, it does give me some basic assurances so I don't have to be (extremely?) paranoid inside my own network. Best regards, André Lima http://www.andr3l1ma.net/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- DISA eliminating firewalls Paul D. Robertson (Jul 04)
- Re: DISA eliminating firewalls Árpád Magosányi (Jul 04)
- Re: DISA eliminating firewalls André Lima (Jul 04)
- Re: DISA eliminating firewalls Tim Harris (Jul 05)
- Re: DISA eliminating firewalls Patrick M. Hausen (Jul 06)
- Re: DISA eliminating firewalls Tim Harris (Jul 06)
- Re: DISA eliminating firewalls André Lima (Jul 04)
- Re: DISA eliminating firewalls Árpád Magosányi (Jul 04)
- <Possible follow-ups>
- Re: DISA eliminating firewalls Crispin Cowan (Jul 05)
- Re: DISA eliminating firewalls Claudio Telmon (Jul 06)
- Re: DISA eliminating firewalls Tim Harris (Jul 06)
- Re: DISA eliminating firewalls Crispin Cowan (Jul 06)
- Re: DISA eliminating firewalls Young,Greg (Jul 06)
- Re: DISA eliminating firewalls kent (Jul 08)
- Re: DISA eliminating firewalls James Wright (Jul 11)