Search This Blog

Tuesday, July 01, 2014

firewall-wizards Digest, Vol 70, Issue 1

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Quiet (David Hills)
2. Re: Quiet (Timothy Shea)


----------------------------------------------------------------------

Message: 1
Date: Tue, 24 Jun 2014 14:05:28 +1200
From: David Hills <list@chippo.net.nz>
Subject: Re: [fw-wiz] Quiet
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<CAMQCHecXMb_qnUUvzS=id4Jr-3NberWm+7OofFx3ex+Mp9p9qw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Okay, I'll bite.

> Thoughts on IPv6?
You mean you aren't doing this yet? You're still using Windows XP and Fax
as well, right?

Platforms like the XBox One are already using IPv6 almost exclusively for
P2P communications. Even my 3 year old printer which barely does WiFi
reached out for DHCPv6 and gave itself an IP address when V6 was turned on
at home.

> Thoughts on "Cloud Firewalls?"
I always use Cloud firewalls to protect my cloud assets. Otherwise those
cloud bad actors might cloud my cloud product.

My real IT though, uses real firewalls. Physical, Virtual, On-Site or in
the Datacenter, frankly I don't care. But being "VMX" doesn't make you
partly cloudy with a chance of rain.

> Thoughts on Web Application Firewalls?
If they serve a purpose, SURE! They make great SSL offloadning and Load
Balancing appliances. Wherever I can use the PCIDSS budget from the
security team to make my customer experience better, that can't be a bad
thing, right?

Doesn't reduce the need for good code and server patching though.

> 1. Have any of you used the IPv6 IPSEC equivalent yet? Tunnel or
transport mode? Vendor hardware? Difficulties?
Vendors that don't have IPv6 hardware in at least their ISP / Datacenter
products are probably looking at some hard times ahead. Most of the u

> 2. I've pondered a cloud based service for web acceleration/filtering.
Perhaps it would use Riverbeds for bandwidth optimization via compression,
dedupe, etc....? Anything like that out there?
CloudFlare? Akamai? I think the Microsoft Azure CDN even offers much of
this. The advantage in context for this list? Takes your IPv4 only
Datacenter provider and makes your website IPv6 without you evening
noticing. Woo!

> 3. If it doesn't do WAP, then it's an old fashioned firewall--and quite
possibly obsolete. These days, the firewall has to encompass the whole
stack (except layer 8--the user). I guess you could make specific cases
like for networks that don't exchange HTTP/S traffic. But seriously, if
your firewall doesn't understand the protocols it is passing, if it doesn't
enforce RFCs to some extent, if it doesn't do sanity checking on bounds,
and true protocol inspection... then what is it doing? :-)
UInless you've been asleep and you're still buying Cisco - all the big
network security vendors have moved to this model. Fortinet barely
advertise themselves as being a firewall anymore, it's all about
"Application Control". In their case, they also have full parity in their
UTM between both IPv4 and IPv6.

It's a brave new world.

So, my question then - Who's doing VoIP over IPv6? Are you seeing
advantages once we get NAT out of the way?

David



On 24 June 2014 05:16, Paul D. Robertson <paul@compuwar.net> wrote:

> It's quiet here- I'd like to stir up some discussion...
>
> Thoughts on IPv6?
> Thoughts on "Cloud Firewalls?"
> Thoughts on Web Application Firewalls?
>
> Paul
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20140624/f24a5c8c/attachment-0001.html>

------------------------------

Message: 2
Date: Mon, 23 Jun 2014 18:37:43 -0700
From: Timothy Shea <tim@tshea.net>
Subject: Re: [fw-wiz] Quiet
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<CAHxuY53JdvHGATT-=rS616w5MVqk=ftpLQYOk8oekMXpOo91zQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

> Thoughts on IPv6?

Meh. Is this the year of IPv6? Or was that last year? Or next year? I'm
sure it will come up in some meeting and we will table it to next year.
But I'm sure someone here will spend a lot of text here to inform that I
must absolutely convert now even though it provides no value to our
business nor are we seeing any demand (even in our asian markets).

> Thoughts on "Cloud Firewalls?"

Meh. For office perimeter protection - most vendors that offer "firewall
as a service" fail at the basics. Like keeping their service up. Or
advance notice of changes. Or even returning phone calls.

As for our cloud hosting properties we are moving network ACL's to the
individual hosts (we are moving to this model at our physical properties as
well). I have noticed with some amusement vendors trying to dump all their
bloated code unto an image to deliver a 'cloud firewall' without any
optimization or enhancements to take advantage of cloud features (*cough*
checkpoint *cough*).

> Thoughts on Web Application Firewalls?

Wouldn't implement a web app without one. Its vital to rapidly react to
application issues, implement rate limiting, enforce white/black listing,
keep software engineering honest, and provide visibility into the web
stack.

I'm going to grab some popcorn and see where this discussion goes. :)


On Mon, Jun 23, 2014 at 10:16 AM, Paul D. Robertson <paul@compuwar.net>
wrote:

> It's quiet here- I'd like to stir up some discussion...
>
> Thoughts on IPv6?
> Thoughts on "Cloud Firewalls?"
> Thoughts on Web Application Firewalls?
>
> Paul
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>



--
Tim Shea, CISSP, ISSAP, CISM
442-400-9096
tim@tshea.net

http://www.linkedin.com/in/timothyshea
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20140623/34ee9416/attachment-0001.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 70, Issue 1
***********************************************

No comments: