Today's port based firewalls are unable to identify and control applications that hop ports, use SSL, or port 80. The result, the FW guy who has to deal with the 10 problems above is doing so while he (or she) is blind.
Today's port based firewalls are unable to identify and control applications that hop ports, use SSL, or port 80. The result, the FW guy who has to deal with the 10 problems above is doing so while he (or she) is blind.
I am sorry, but this article seems to me has been written in at least one century ago ;-) or author is trying to present firewall admins as stupid people.
i dont see those points real or not manageable, reality is different, believe me ;o)
I would have to disagree Alex. My company has approx. 120 FW pairs mainly comprised of CP and Cisco with a very few NS that were acquired. While maybe not perfectly stated, I believe the author's points are valid and a growing concern for any IT security group who owns FW mgmt responsibility. Maybe you don't have many FWs to manage or have not had the great fortune to inherit someone elses FWs through merger or aquistion. As a FW admin for 6+ yrs my experience agrees with the article. Additionally, in support of the author I read with interest a recent ISSA Journal article by three Notre Dame researchers that would definitely support the authors points. Rule bases are growing in complexity; FW administrators and their supervisors both know mistakes are being made but lack the resources to identify and correct them in a more proactive stance.
Top 10 Reasons the Firewall Guy's Hair is on Fire
The firewall is a mature technology, right? Then why do those who manage it feel like they're running a daycare overrun with little savages?
» View Article
Great post.
But let's turn it up to 11.
Today's port based firewalls are unable to identify and control applications that hop ports, use SSL, or port 80. The result, the FW guy who has to deal with the 10 problems above is doing so while he (or she) is blind.
Read more about it here:
http://blog.paloaltonetworks.com/?p=153
Great post.
But let's turn it up to 11.
Today's port based firewalls are unable to identify and control applications that hop ports, use SSL, or port 80. The result, the FW guy who has to deal with the 10 problems above is doing so while he (or she) is blind.
Read more about it here:
http://blog.paloaltonetworks.com/?p=153
Apologies for the double post. Friday afternoon induced user error.
I am sorry, but this article seems to me has been written in at least one century ago ;-) or author is trying to present firewall admins as stupid people.
i dont see those points real or not manageable, reality is different, believe me ;o)
I would have to disagree Alex. My company has approx. 120 FW pairs mainly comprised of CP and Cisco with a very few NS that were acquired. While maybe not perfectly stated, I believe the author's points are valid and a growing concern for any IT security group who owns FW mgmt responsibility. Maybe you don't have many FWs to manage or have not had the great fortune to inherit someone elses FWs through merger or aquistion. As a FW admin for 6+ yrs my experience agrees with the article. Additionally, in support of the author I read with interest a recent ISSA Journal article by three Notre Dame researchers that would definitely support the authors points. Rule bases are growing in complexity; FW administrators and their supervisors both know mistakes are being made but lack the resources to identify and correct them in a more proactive stance.
http://issa.org/Members/Journals-Archive/2009.html#February
I also found a very compelling survey by one the authors competitors that also supports his points.http://www.securepassage.com/Downloads/?id=db590230-d54f-47bb-ae82-2eb569bdd8a5
Sorry for the anonymous post but I plead the 5th for fear of unsolicted sales calls... ;-ODirty Tricks: Social Engineers' Favorite Pickup Lines
Tabletop Exercises: 3 Sample Scenarios
19 Ways to Build Physical Security Into Your Data Center
Get instant notifications when whitepapers, webcasts and case studies are added to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
» More blogs
CSO Perspectives
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
Trend Micro ranked #1 against real-world malware. Read more.
64-page prescriptive guide to security, compliance, and IT operations.
Removing Barriers To Better Server Virtualization Efficiency
Mining for Gold: Cybercrime Prevention and the Role of Log Management
The Executive Guide to Data Loss Prevention
Organizations can spend up to 50% more on compliance efforts than necessary.
White Paper: A Security Blueprint Delivered From within the Network
Read the RSA report: Security for Business Innovation
Upgrading to VMware vSphere with vWire
Explore the increasing importance of log management as cybercrime threats grow.
The Tripwire HIPAA Solution: Meeting the Security Standards Set Forth in Section 164
Implementing Best Practices for Web 2.0 Security
Five Ways to Reduce Your IT Audit Burden
THE IDG NETWORK