In some mail from Frank Willoughby, sie said:
>
> >|Didn't mean to ruffle your feathers, but the problem does exist
> >|and should be resolved.
> >
> >Neither problem is in the province of the "traditional" firewall. Both
> >are very serious threats and need to be dealt with.
>
> I disagree. I firmly feel that this is definitely within the province
> of the "traditional" firewall. The firewall is there to protect the
> organization from the risks of the Internet. If it can't address both
> problems, then it is offering inadequate protection. People aren't
> buying firewalls for performance, they are buying them for protection.
> If it can't protect you, you have wasted your money.
>
> I like your last sentence:
> "Both are very serious threats and need to be dealt with."
>
> I think the firewall should deal with them. Two vendors have. It would
> be nice if others would do the same.
>
> IMO, your last sentence was the only one which counted. I guess you must
> have missed the part about flames being sent to me directly. That's OK.
> Shame about the wasted bandwidth though.
You're missing the point, I think.
More than just firewalls need to address and solve this `problem'.
Firewalls are just a good target since they're usually the (only)
externally exposed part of the network.
"Hard-shell, soft-squishy-centre" problem.
Also, in a packet-filtered world, if the firewall deals with it, it isn't
enough: the firewall isn't an end of the TCP connection and it is the ends
of the connection which are attacked.
That two vendors deal with the problem only helps if they do proxying for
all connections or do something like what SunScreen does.
darren
References:
-
Re:
From: frankw @
in .
net (Frank Willoughby)
|
|
