Are firewalls needed?

[Westy]

I'd like to pose this question to the members of the forum.
Are firewalls needed?

A colleague of mine who follows the security forums says that he's reading that firewalls being pulled out of some places. The reasons, the more sophisticated attacks are now taking place at the application layer? And, that with port 80 always open, attackers have a well known way through the firewalls anyway.

[Sergej]

A new market hype coming UTM (Unified Threat Management/Mitigation). Here is unified approach coming - one box do all (Firewall, VPN, IPS, Content Filtering, Anti Virus, Anti Spam). Checkpoint as well as other vendors moves towards this direction.
Try to read first UTM review at http://www.nss.co.uk/utm/index.htm and Gartner doc about place of each technology on the "hype curve"

http://www.ementor.no/upload/Events/...0cycle2005.pdf

[intehnet]

hahaha i love that graph

i won't be pulling firewalls ANY time soon..

any company that does is stupid..
it's like saying that home invasions are occuring through smashing windows, so there is no point locking doors now...

[chillyjim]

Actually the Jericho forum published a good paper on de-perimeterizing the network.

As far as UTM goes, there is a lot of high-level annalists saying its not a good thing (eggs, one basket, etc).

That being said, FW1 with SmartDefense/Web Intelligence is application layer protection.

-jlh

[intehnet]

chilijim do you have a URL of that paper? i can't find it on the jericho page

[intehnet]

ok i just http://www.opengroup.org/projects/je...esentation.pdf

I really don't think their offering many answers. are they just wanting to give in to threats and have a responsive approach?
the switch to data level authentication wouldn't be a small one either..

i call vapourware

[chillyjim]

Yeah there is a lot missing here. Host-based IDS/IPS along with host-based firewalls (packet/application and OS level) will help. The Jericho paper isn't even to the level of vaporware. Maybe someday we'll get there, but we're nowhere close yet.

-jlh

[justin.knox]

UTM is a wonderful idea, but as chillyjim noted: all eggs in one basket. I was initially quite skeptical of the deep-inspection firewall surge. This was due to the marketing hype (even by Check Point), such that the DPI (deep packet inspection) devices can take the place of a whole suite of products (firewall, ids, ips, vpn concentrator, etc). I come from the school of thought that a product should do one thing and do it well. Check Point's product line could easily be labelled as a case study in feature creep -- but that goes for most security products of today.

Ultimately what it comes down to is this: the Defense-in-Depth approach to network security has a place for UTM, however, relying on one product to do it all is clearly at odds with that approach.

just my $0.02.

[edit -- typo correction]

[Westy]

Thanks everybody, for me this is very helpful, I'm hoping it is for other Junior members as well. I wasn't aware of UTM nor of the Jericho project. Hopefully we'll get a few more posts to keep the thread going so that we can all benefit a bit more.