Comments on: The VIA Model of Security Filtering Technologies

By: Mr. Winston Shines

Mr. Winston Shines — Thu, 12 Mar 2009 22:28:15 +0000

Good morning Mr. Miessler,

Thanks for e-mailing me the diagram on IT security protocols. I liked how you laid it out in the diagram and used the VIA acronymn, that made it easier to understand and to follow. I will be checking your blog on a regular basis from now on.

Mr. Winston Shines

By: Mr. Winston Shines

Mr. Winston Shines — Thu, 12 Mar 2009 18:28:15 +0000

By: Rodrigo Montoro(Sp0oKeR)

Rodrigo Montoro(Sp0oKeR) — Wed, 11 Mar 2009 23:44:39 +0000

About IPS x WAF another good point is that WAF you can handle https traffic without 3rd part software .

By: arikb

arikb — Wed, 11 Mar 2009 23:43:56 +0000

Well, we'll just have to wait and see. This is definitely the future forcast Checkpoint and other firewall makers would like to see.

I personally oppose it.

I resent almost all lower layer security, yes including firewalls, and would like to see 95% of security go to layers 5 to 7.

I believe that firewalls are a hugely successful marketing campaign by the firewall companies. They are not needed for security and actually harm security by introducing the concept that your private LAN should be routed to the Internet. This is absolutely unnecessary in 99% of today's business networks and does more harm than good for security.

-- Arik

By: Daniel Miessler

Daniel Miessler — Wed, 11 Mar 2009 14:51:00 +0000

What you're talking about is still within the context of technological restraints. What I'm saying is that in the near future we're just going to have a "security point", and at that point all analysis will be done on the input provided.

The "security point" will pull policy from the central server and it will exercise the policy for each of the VIA categories. On hosts it will even do so for file access and other types of host-only cosniderations.

The point is that this security component will be standalone, and it will have all the components of a security evaluation...all the way from layer 2 to layer 7, plus the host considerations.

We will simply deploy "security points" at all of your trust boundaries -- this many for your network, this many for your hosts, this many for your mobile devices, etc. And each of them will pull policy from the server based on what needs to be enforced at that particular boundary (host, network, or whatever).

There is no reason NOT to have the lower layers as data points in this filtering. The functionality is there, and a policy might want for any given trust boundary to restrict based on MAC or IP. The point is to get away from different types of security systems for different applications.

All boundaries will be able to enforce ALL security policies--including the boundaries between networks and hosts and even hosts and applications.

By: Arik

Arik — Wed, 11 Mar 2009 08:46:10 +0000

So what you're saying is that you want to take a machine that does layer 7 stuff, which on occasion needs to actually be a cluster because it needs to do so much processing per transaction, and put it in-line on the network, in switch-land (L2) or router-land (L3)?

I don't agree with this approach. I don't think there should be any L2 or L3 components other than routers and switched respectively. A firewall is too much in my opinion, and is not really necessary, but if you insist you can have that. The 5 machine strong cluster that does L7 inspection? See I don't mind if it goes in-line to your traffic, but don't put it on the wire. Make your traffic go through it.

-- Arik