Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: DISA eliminating firewalls (Crispin Cowan)
2. Re: DISA eliminating firewalls (Tim Harris)
3. Re: DISA eliminating firewalls (Young,Greg)
----------------------------------------------------------------------
Message: 1
Date: Sat, 6 Jul 2013 15:55:11 +0000
From: Crispin Cowan <crispin@crispincowan.com>
Subject: Re: [fw-wiz] DISA eliminating firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <BLU403-EAS141550E8FD50BBDFBA4B6CEC17E0@phx.gbl>
Content-Type: text/plain; charset="utf-8"
?What will happen when firewalls go away?? is a very good question, i don?t have that answer. I simply assert that firewalls will go away, because they will become irrelevant. They are already barely relevant because of mobile devices. The threatscape is ignoring your firewall and walking straight through the front door attached to each individual worker in the form of a smart phone or a tablet. Not only do the users use them any way they want while away from the office, most of these devices are dual-homed to your network and a cellular network plumped right to the internet.
It is neither my choice nor my wish that firewalls will go away, merely an inevitable consequence of pervasive mobile computing in the enterprise.
Sent from Windows Mail
From: Tim Harris
Sent: ?Saturday?, ?July? ?6?, ?2013 ?8?:?11? ?AM
To: Firewall Wizards Security Mailing List
I don?t disagree with your comment about the crunchy outside/gooey middle but If firewalls are to go away, what will happen to the function they perform? Are we going to discard the entire function of coarse filtering? It has been amply demonstrated that the individual device is not currently capable of adequately defending itself.
Going back to my other comment about many points of administration, is there a software package or system that can/will reduce it down to a manageable problem? Is there a ?meta-admin? system out there or under development?
From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Crispin Cowan
Sent: Friday, July 05, 2013 12:04 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] DISA eliminating firewalls
Firewalls are virtually guaranteed to disappear. The writing was on the wall the first time ?crunchy outside, gooey middle? was uttered. Smart phones and tablets dig the hole deeper, and BYOD is the nail in the coffin.
You cannot protect your networks in a world full of smart phones and tablets, owned by consumers, which must be allowed to connect to the network. The only thing you can do at that point is to stop trusting the network, and instead trust individual nodes, and use encrypted channels (IPsec, SSL, whatever) between nodes that trust each other.
When this will happen is far less clear, and it may be that DISA is a bit premature here. But this is coming, get used to it.
Sent from Windows Mail
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20130706/66021b4e/attachment-0001.html>
-------------- next part --------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 2
Date: Sat, 6 Jul 2013 09:06:11 -0700
From: Tim Harris <tim@fbnservices.us>
Subject: Re: [fw-wiz] DISA eliminating firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<E8A5605884B22D4BBCD12F82692732585BC0D5D150@FBN.fbnservices.us>
Content-Type: text/plain; charset="iso-8859-1"
The cited references are a certainly a step in the right direction but they seem to be only partway toward the concept I am thinking about. It is still necessary for the administrator to do a great deal of work and to manage the individual devices. I'd like to see something that abstracts it at least one more level.
Imagine an environment containing dozens (or more) routers and firewalls/security devices. The operator should be able to define a single set of rules for permitted traffic, denied traffic, permitted/denied sources and destination. The system should be able to parse that into subsets and distribute them automatically. The admin should not have to examine each firewall individually.
The McAfee product sheet states "The McAfee Firewall Enterprise Admin Console offers a basic environment for connecting to and managing one or more firewalls". That suggest that I must still manage each firewall individually. 10 firewalls = 10 devices to manage. The firewalls, routers, and switches should be viewed as one device: 100 firewalls + 200 routers = 1 rule set and 1 device to manage.
If one of the firewalls is in a portion of the network that never sees a given range of traffic, then it doesn't need the applicable rules and the central console should figure that out and not push them. For example, a router in the public address space will never see a private address. It doesn't need to have all the rules about private devices.
I apologize if I seem dense, perhaps I'm not explaining clearly.
-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Patrick M. Hausen
Sent: Friday, July 05, 2013 1:38 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] DISA eliminating firewalls
Hi, Wizards,
Am 05.07.2013 um 18:21 schrieb Tim Harris <tim@fbnservices.us>:
> I would argue that the next logical step in firewalls is a meta-firewall.
> Suppose that I have a large, distributed network with multiple firewalls and routers.
> I argue that a good firewall software ought to be able to treat that as a single administrative unit.
> .
In fact products like this have been around for quite a while.
I don't quite remember if NAI had a central management/policy tool for the Gauntlet firewalls but I guess they did.
At least Secure Computing had it in 2003 for the then announced Sidewinder G2 (partly Sidewinder, partly Gauntlet).
Cyberguard, acquired by Secure Computing in 2005, already had it before 2005.
Current McAfee product:
http://www.mcafee.com/us/resources/data-sheets/ds-firewall-management.pdf
Heck, Cisco has got it for ASA:
http://www.cisco.com/en/US/products/ps6498/index.html
Kind regards,
Patrick
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de http://www.punkt.de
Gf: J?rgen Egeling AG Mannheim 108285
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 3
Date: Sat, 6 Jul 2013 18:33:26 +0000
From: "Young,Greg" <Greg.Young@gartner.com>
Subject: Re: [fw-wiz] DISA eliminating firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20130706183327.AB9A8BD6BB@listserv.cybertrust.com>
Content-Type: text/plain; charset="windows-1256"
BYOD doesn't mean give up on the network edge and firewalls. And a more complex Internet edge doesn't mean your data center doesn't need protecting from the outside and the WAN: just the opposite. This is why the increase in defence in depth. As long as end points are not all vulnerability free and all managed we can't exclusively rely on host security. And firewalls aren't the silver bullet, but they can sure narrow the aperture for attacks.
This is a similar discussion to the ones a few years ago around the Jericho Forum. Anyone up for hanging their data server off the inet? Have an updated CV if you do.
I think that article speaks more to the frustrations around data security really. Data security and network security aren't exclusive though.
On 2013-07-06, at 12:11 PM, "Crispin Cowan" <crispin@crispincowan.com<mailto:crispin@crispincowan.com>> wrote:
?What will happen when firewalls go away?? is a very good question, i don?t have that answer. I simply assert that firewalls will go away, because they will become irrelevant. They are already barely relevant because of mobile devices. The threatscape is ignoring your firewall and walking straight through the front door attached to each individual worker in the form of a smart phone or a tablet. Not only do the users use them any way they want while away from the office, most of these devices are dual-homed to your network and a cellular network plumped right to the internet.
It is neither my choice nor my wish that firewalls will go away, merely an inevitable consequence of pervasive mobile computing in the enterprise.
Sent from Windows Mail
From: Tim Harris
Sent: ?Saturday?, ?July? ?6?, ?2013 ?8?:?11? ?AM
To: Firewall Wizards Security Mailing List
I don?t disagree with your comment about the crunchy outside/gooey middle but If firewalls are to go away, what will happen to the function they perform? Are we going to discard the entire function of coarse filtering? It has been amply demonstrated that the individual device is not currently capable of adequately defending itself.
Going back to my other comment about many points of administration, is there a software package or system that can/will reduce it down to a manageable problem? Is there a ?meta-admin? system out there or under development?
From: firewall-wizards-bounces@listserv.icsalabs.com<mailto:firewall-wizards-bounces@listserv.icsalabs.com> [mailto:firewall-wizards-bounces@listserv.icsalabs.com] On Behalf Of Crispin Cowan
Sent: Friday, July 05, 2013 12:04 PM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] DISA eliminating firewalls
Firewalls are virtually guaranteed to disappear. The writing was on the wall the first time ?crunchy outside, gooey middle? was uttered. Smart phones and tablets dig the hole deeper, and BYOD is the nail in the coffin.
You cannot protect your networks in a world full of smart phones and tablets, owned by consumers, which must be allowed to connect to the network. The only thing you can do at that point is to stop trusting the network, and instead trust individual nodes, and use encrypted channels (IPsec, SSL, whatever) between nodes that trust each other.
When this will happen is far less clear, and it may be that DISA is a bit premature here. But this is coming, get used to it.
Sent from Windows Mail
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com<mailto:firewall-wizards@listserv.icsalabs.com>
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
________________________________
This e-mail message, including any attachments, is for the sole use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Gartner makes no warranty that this e-mail is error or virus free.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20130706/10523474/attachment.html>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 66, Issue 5
***********************************************
No comments:
Post a Comment