Wednesday, February 12, 2003

Marcus Ranum on Firewalls

Marcus Ranum, one of the smartest security visionaries around, made an interesting post on 31 Dec 02 to the Focus-IDS list. He's right, as usual, about several issues. I especially applaud his proxy firewall ideas:

"About a million years ago I was designing and coding firewalls. I wrote pure proxy firewalls. OK, actually, I _invented_ pure proxy firewalls. You know what? I still think that, for security, it's The Way To Do It and everything else sucks. But the industry appears to disagree. That's OK, it's customer choice. But if I was reviewing product firewalls, guess which ones I'd say sucked and which didn't? If I developed a firewall testing methodology, NONE of the packet screens would have cut it. And people would have been able to accuse me of trying to promote my own product because my _beliefs_ and my _implementation_ were inseparable."

No comments: