Check Point boss looks beyond 'weapons' for security defence De-perimiterisation and the move to cloud computing will not alter the central place the firewall occupies in corporate security architectures, according to Check Point chief exec Gil Shwed. Check Point is advocating a three-phase strategy of security policy enforcement centred around the firewall, user education and …
> De-perimiterisation and the move to cloud computing will not alter the central place the firewall occupies in corporate security architectures, according to Check Point chief exec Gil Shwed.
Given the nature of todays communications infrastructure, a firewall is next to useless. Once upon a time inter-communication between systems were run on a restricted set of ports and since only root could bind to these 'privileged ports' the remote system could be sure of the calling systems identity (at least if it was calling on port 22 then it was the real SSH daemon and not some spoofing process).
Later on more services were added to more ports and non-root users were allowed to bind to these ports. A firewall is designed to block IP addresses and/or ports. As such it has to allow 'safe' ports and disallow unsafe ones. Since for the reasons stated previously, it's next to impossible to verify such safe port/IP combinations, the effectiveness of the firewall is rendered useless.
If by 'intrusion prevention` you mean deep state packet inspection, that also can only be margionally effective as it has to maintain an ever expanding blacklist of unsafe scripts. IE downloading and running scripts from remote systems and relying on the local system to verify them as authentic and safe.
This post has been deleted by its author
> BUT, the general concept of a firewall and Protocol Validation (aka "deep packet inspection") is sound ..
No it isn't, Google the InterTubes for real world examples.
> The reason is that restricting ports and validating protocols (e.g. HTTP or FTP) can be seen as an instance of the security strategy called "Privilege Restriction".
No, you just don't allow HTTP or FTP processes to bind to ports or or else you tunnel them through an SSH connection. You see the root of the problem is the process-binding-to-port model. Once you've got a secure, verifiable end-to-end connection then the rest, PrR, MaCP, dPI is just so much techno-waffle. Without using a single acronym I will say this. If you can't be ever sure that the code/scripts running on your computer are yours then its game over as far as security is concerned.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
