Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multi-Layer Security Platforms

Posted by ryuzaki0 on from the lock-it-down dept.

An anonymous reader writes "ITO has published a comprehensive article on the new meaning of unified security management: 'In the not too distant past, the information security needs for most organizations were fairly straightforward. From a technology perspective, core defenses included a handful of perimeter-based firewalls to policing traffic originating from the Internet, along with software at desktops, and perhaps email gateways, to counter the emerging threat from viruses.'"

3 of 60 comments (clear)

  1. And on top of that... by b0r1s · · Score: 4, Interesting

    We've been testing a BUNCH of 'all in one' security appliances, and most are clearly running Linux, and at least one of the VERY LARGE, WELL KNOWN appliances is even missing stability updates (yes, that's right, off the shelf bugtraq code can DoS it).

    There's a time and place for security appliances, but they're not a cure-all. Some of the brands (I'm actually a fan of Watchguard for small businesses) do great work blocking malicious web and email traffic, but the stability and security are still far from perfect.

    --
    Mooniacs for iOS and Android
  2. Re:Security by HMC+CS+Major · · Score: 2, Interesting

    The trade-off is what kills most real admins.

    I work for an advertising agency. They live and die on "easy" communication with every client possible, and most would be surprised just what kind of crap marketting firms will send in professional emails.

    Strip an image? They just lost contact info for a potential client. Kill a zipfile because it's password protected? Oops, that was a 7 figure proposal. It just gets worse and worse.

    Start by having 2 NAS systems. One for real users, one for idiots who must be attached to the network. Then, separate them so there's no communication between them. Create multiple login systems, and protect your real work (financials, C-levels, etc) from the sales staff and receptionists who open everything, every time.

    It's extra work up front, but eventually, those super-complex ACLs preventing the receptionist from deleting any file she doesn't own will save your ass.

    --
    Video for Online Dating Profiles
  3. Re:Sorry; I wasn't that impressed... by Bishop · · Score: 2, Interesting

    TFA is a terrible sales pitch (complete with CIO buzzwords) for Fortinet's products.

    Last year we were testing one of the smaller Fortinet "firewalls." It was easy to crash the Fortinet box and the protocol/data scanners with a boring network fuzzer. (i.e. we sent bad data at the box) Given time I am sure that we could have exploited the crashes. But, as that was not our job, we moved on to testing better products.

    These all in one (adaptive filtering with super duper special proxies) traffic scanning firewalls rely on software that perfectly understands the higher level network protocols. This is not an easy task. Consider the different webbrowser bugs and misfeatures that web pages need to code around. The firewall software needs to understand and allow for these bugs as well. The traffic scanning software is complex with leads to bugs. Some of those bugs will certainly be exploitable.