[c-nsp] Campus Network - Deployment mode of Perimeter Firewalls

Keith Medcalf kmedcalf at dessus.com
Tue Aug 11 21:01:24 EDT 2020


Not to mention the obvious observation that a firewall designed to "fail
open" must not have anything of any importance behind it, so it (the
firewall) merely exists for "checkbox compliance" with the checklists of
incompetent arseholes and clueless retards, and not because it serves
(or is intended to serve) any useful purpose.

-- 
Be decisive.  Make a decision, right or wrong.  The road of life is
paved with flat squirrels who could not make a decision.

>-----Original Message-----
>From: cisco-nsp <cisco-nsp-bounces at puck.nether.net> On Behalf Of Gert
>Doering
>Sent: Tuesday, 11 August, 2020 01:18
>To: Yham <yhameed81 at gmail.com>
>Cc: cisco-nsp at puck.nether.net NSP <cisco-nsp at puck.nether.net>
>Subject: Re: [c-nsp] Campus Network - Deployment mode of Perimeter
>Firewalls
>
>Hi,
>
>On Mon, Aug 10, 2020 at 11:33:06PM -0400, Yham wrote:
>> Thanks for your comments. I kinda agree with you on avoid using
>transparent
>> mode however not clear why you wouldn't want your north-south traffic
>pass
>> through perimeter security devices (FWs). how would you protect your
>> network from outside if you don't have firewalls in the traffic path?
I
>> have seen some enterprises use by-pass switches to go around the
>firewalls
>> in case of an unexpected failure from where firewalls can't recover.
>
>What is the point of a firewall in front of a web server?
>
>The web server should not have any services running besides "web", and
>these have to be available from the outside.
>
>Adding a firewall means "you put a device in front of it that can
handle
>less load and costs more" - but where's the security gain?
>
>gert
>
>--
>"If was one thing all people took for granted, was conviction that if
you
> feed honest figures into a computer, honest figures come out. Never
>doubted
> it myself till I met a computer with a sense of humor."
>                             Robert A. Heinlein, The Moon is a Harsh
>Mistress
>
>Gert Doering - Munich, Germany
>gert at greenie.muc.de





More information about the cisco-nsp mailing list