Comments on: Quit Complicating Our Controls http://www.cutawaysecurity.com/blog/archives/215 Cutaway's Observations, Opinions, Rants, Raves, Tantrums, and Tirades Tue, 16 Feb 2010 06:48:31 +0000 http://wordpress.org/?v=2.8.4 hourly 1 By: Security Ripcord » Blog Archive » The Perimeter is DEAD - Let’s Make It More Complex http://www.cutawaysecurity.com/blog/archives/215/comment-page-1#comment-30816 Security Ripcord » Blog Archive » The Perimeter is DEAD - Let’s Make It More Complex Wed, 12 Dec 2007 05:52:19 +0000 http://www.cutawaysecurity.com/blog/archives/215#comment-30816 [...] Quit Complicating Our Controls [...] [...] Quit Complicating Our Controls [...]

]]> By: Blog of Blogs » Blog Archive » Christopher Hoff Ponders Consolidation vs. Piling it On http://www.cutawaysecurity.com/blog/archives/215/comment-page-1#comment-30815 Blog of Blogs » Blog Archive » Christopher Hoff Ponders Consolidation vs. Piling it On Tue, 11 Dec 2007 23:33:08 +0000 http://www.cutawaysecurity.com/blog/archives/215#comment-30815 [...] Weber wrote a post last week describing his thoughts on the consolidation of [security] controls and followed it up [...] [...] Weber wrote a post last week describing his thoughts on the consolidation of [security] controls and followed it up [...]

]]> By: Security Ripcord » Blog Archive » Quit Complicating Our Controls - UTM Remix http://www.cutawaysecurity.com/blog/archives/215/comment-page-1#comment-30806 Security Ripcord » Blog Archive » Quit Complicating Our Controls - UTM Remix Mon, 10 Dec 2007 12:55:05 +0000 http://www.cutawaysecurity.com/blog/archives/215#comment-30806 [...] Comments Tarek on Quit Complicating Our ControlsRon W on Ron Woerner - an Email InterviewAndy Willingham on Quit Complicating Our Controlscutaway on [...] [...] Comments Tarek on Quit Complicating Our ControlsRon W on Ron Woerner – an Email InterviewAndy Willingham on Quit Complicating Our Controlscutaway on [...]

]]> By: Tarek http://www.cutawaysecurity.com/blog/archives/215/comment-page-1#comment-30805 Tarek Sat, 08 Dec 2007 17:16:18 +0000 http://www.cutawaysecurity.com/blog/archives/215#comment-30805 In fact, firewall were made to protect the different network segments or zones from each other by controlling who is supposed to talk to who using which protocol or application. But later one, applications such as FTP, SIP, etc. started to open dynamic ports, and firewalls were forced to evolve and become more application aware. On the other hand Proxy Firewalls such as MS ISA - I know it's a piece of crap - but such firewalls were able to see the application layer, add rules to prevent people from downloading ZIP and MP3 files, Inspect SMTP for spam, etc. So firewall vendors were forced to compete with them in this, especially that such Proxy Firewalls are popular in SOHO and SMB networks. And I think this is when UTM came to life. Vendors also competed with each other and each vendor wanted to have more features in his data-sheet, and I think were are going to see vendors announcing that their firewalls are the first to market with built in Coffee Makers. I can agree with what you wrote here sometimes. For an ISP's Data Centre or a Large Multinational Company this can be true. Having an all in one box is not the best choice. But when it comes to normal mid-range enterprises they can have a UTM, and in such case having two layers of clustered UTM's from different vendors can protect them when complexity lead to a vulnerability in one box. In fact, firewall were made to protect the different network segments or zones from each other by controlling who is supposed to talk to who using which protocol or application.

But later one, applications such as FTP, SIP, etc. started to open dynamic ports, and firewalls were forced to evolve and become more application aware. On the other hand Proxy Firewalls such as MS ISA – I know it’s a piece of crap – but such firewalls were able to see the application layer, add rules to prevent people from downloading ZIP and MP3 files, Inspect SMTP for spam, etc. So firewall vendors were forced to compete with them in this, especially that such Proxy Firewalls are popular in SOHO and SMB networks. And I think this is when UTM came to life. Vendors also competed with each other and each vendor wanted to have more features in his data-sheet, and I think were are going to see vendors announcing that their firewalls are the first to market with built in Coffee Makers.

I can agree with what you wrote here sometimes. For an ISP’s Data Centre or a Large Multinational Company this can be true. Having an all in one box is not the best choice. But when it comes to normal mid-range enterprises they can have a UTM, and in such case having two layers of clustered UTM’s from different vendors can protect them when complexity lead to a vulnerability in one box.

]]> By: Andy Willingham http://www.cutawaysecurity.com/blog/archives/215/comment-page-1#comment-30803 Andy Willingham Mon, 03 Dec 2007 12:54:12 +0000 http://www.cutawaysecurity.com/blog/archives/215#comment-30803 Cutaway, Good post my friend. We need to encourage each other not to just accept something b/c it is the latest technology and/or the best practice. I'm also not a bit fan of UTM for the same reason that you list here. If one piece gets compromised then you are in bigger danger of having everything bypassed. Not only that but the single point of failure is an issue. It's one thing if you lose an IPS b/c the power supply goes out. It's another if that IPS is also attached to your firewall, email scanner, etc... Now you are totally down. :( Cutaway, Good post my friend. We need to encourage each other not to just accept something b/c it is the latest technology and/or the best practice. I’m also not a bit fan of UTM for the same reason that you list here. If one piece gets compromised then you are in bigger danger of having everything bypassed. Not only that but the single point of failure is an issue. It’s one thing if you lose an IPS b/c the power supply goes out. It’s another if that IPS is also attached to your firewall, email scanner, etc… Now you are totally down. :(

]]> By: cutaway http://www.cutawaysecurity.com/blog/archives/215/comment-page-1#comment-30802 cutaway Sun, 02 Dec 2007 16:43:31 +0000 http://www.cutawaysecurity.com/blog/archives/215#comment-30802 Bill, I'm not sure you get the point I am trying to convey. This might be because my poor use of a quote (yes, I did notice), you guerrilla marketing your site (yes, I did notice), or just straight up miscommunication. Basically, what I am trying to say, is that we need to get away from trying to lump everything onto one box. At times it does make sense because of cost, either monetarily or in man-hours. But people need to remember that the added complexity in these devices may increase the risks the controls are trying to address. I hope that helps. Go forth and do good things, Don C. Weber Bill,

I’m not sure you get the point I am trying to convey. This might be because my poor use of a quote (yes, I did notice), you guerrilla marketing your site (yes, I did notice), or just straight up miscommunication.

Basically, what I am trying to say, is that we need to get away from trying to lump everything onto one box. At times it does make sense because of cost, either monetarily or in man-hours. But people need to remember that the added complexity in these devices may increase the risks the controls are trying to address.

I hope that helps.

Go forth and do good things,
Don C. Weber

]]> By: Bill Wardell http://www.cutawaysecurity.com/blog/archives/215/comment-page-1#comment-30801 Bill Wardell Sun, 02 Dec 2007 01:46:23 +0000 http://www.cutawaysecurity.com/blog/archives/215#comment-30801 How do we stop this, couldn't a tool be made to like a special router that could be used to stop all this nonsense, in and out of our systems... Thanks, Bill How do we stop this, couldn’t a tool be made to like a special router that could be used to stop all this nonsense, in and out of our systems…

Thanks,

Bill

]]>