Search This Blog

Thursday, April 30, 2009

firewall-wizards Digest, Vol 36, Issue 40

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: State of security technology for the enterprise
(Marcin Antkiewicz)
2. Re: State of security technology for the enterprise (Chris Hughes)


----------------------------------------------------------------------

Message: 1
Date: Thu, 30 Apr 2009 00:13:24 -0500
From: Marcin Antkiewicz <firewallwizards@kajtek.org>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: miedaner@twcny.rr.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7ed5f2120904292213r55acf650n92cc1a34a3f7cea6@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

> The underlying architecture is very important to providing control.

I doubt that the original poster's question can be answered without
rest of the relevant information. What is the environment? What
systems/data will be protected? Under what regulation? What budget?
How big is the staff? What's the infrastructure? What's the
organization's experience dealing with IT Sec risks?

A laundry list of technology is meaningless - each of the pieces must
work with the others, and satisfy some business need. If the later
part is neglected funding tends to dry up in 2-3 years. Justification
to the business does not have to be extravagant, but it must be well
done, and in language and context that the business understands.

ArkanoiD is correct, biggest Sidewinder is worthless, if the
application folks decide to include passwords in Javascript. I know of
a few places that try to correct such creativity with iRules on F5s,
but that's just a race that the org is going to loose. Sidewinders and
F5s are not needed, secure SDLC will fix that problem. Add decent
development process to sidewinders and the F5s and the org will be
doing quire well, but that's very expensive - requres cooperation of
IT Sec and App Delivery, which cannot be purchased.

I think I am trying to say that Seurity is a process, and cannot be
bought (in a sustainable manner), But that we all know already.

--
Marcin Antkiewicz


------------------------------

Message: 2
Date: Thu, 30 Apr 2009 11:45:04 -0400
From: "Chris Hughes" <chughes@l8c.com>
Subject: Re: [fw-wiz] State of security technology for the enterprise
To: <firewall-wizards@listserv.icsalabs.com>
Message-ID: <91C9BA83BBE8437BBFD15FD6B4EB223C@Acer>
Content-Type: text/plain; charset="us-ascii"

I have no idea how "new" these technologies are. If they were mainstream
technologies I would expect to see more of the mainstream vendors
implementing them. I can see where cutting edge security types would view
"mainstream" as missing the mark. The problem is, on an enterprise level,
most companies are not willing to look at open source solutions or vendors
they have never heard of. They want brand names that can be supported by a
wide audience of engineers.

I term the technologies as immature because the offerings I see leave
something to be desired.

I am not aware of having XML data flows. What are you referring to?

My purpose was not to offend you or become viewed as ignorant. My purpose
is to solicit opinions on these technologies which appear to me and the
folks I deal with as "new". I will look at IBM's offering as you suggest.

_________________________________________________________________________

You are kidding calling those technologies "new"?

Actually we do need something new. Think entitlement management, role-based
access control, data flow tracking, emdedded security tokens, OWASP
frameworks, XML filtering etc.

At least document fingerprinting and discovery as poor man's solution.

And configuration management and endpoint security solutions (not just
"AV"!) for sure.

We all are going nowere because we are stuck into our old toys - DPI, IDS,
AV, VPN etc and actually have no idea how data flow *should* be managed -
and you are afraid of "potentialy immature technologies"? God damn,
everything you list is old as mammoth's fossilized crap!

Well, have a look at IBM's Datapower at least - much of your data flow is
XML, right?

And forget that Cisco makes "firewalls". Those are not worth their power
supply units.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090430/5a1a2bf7/attachment-0001.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 36, Issue 40
************************************************

No comments: