Re: [fw-wiz] Firewall Primitives

From: Marcus J. Ranum (mjr@ranum.com)
Date: 11/04/02

• Next message: Paul Robertson: "[fw-wiz] QoS and P2P?"
• Previous message: Emmanuel: "Re: [fw-wiz] maybe OT: web appliaction security products (AKA application firewalls)"
• Maybe in reply to: Cat Okita: "[fw-wiz] Firewall Primitives"
• Next in thread: George Capehart: "Re: [fw-wiz] Firewall Primitives"
• Reply: George Capehart: "Re: [fw-wiz] Firewall Primitives"
• Reply: Cat Okita: "Re: [fw-wiz] Firewall Primitives"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: David Lang <david.lang@digitalinsight.com>, Cat Okita <cat@reptiles.org>
From: "Marcus J. Ranum" <mjr@ranum.com>
Date: Mon Nov  4 09:38:01 2002

David Lang wrote:
>this is only close to complete if you define a firewall as a packet filter
>of some sort.

Excellent point. I submit for your consideration the observation
that firewall primitives should _all_ be connection-oriented. For
services that are not inherently connection-based, an effective
firewall should simulate connections to the best of its ability.

>even if you tried to extend the type to include things like HTTP/FTP/etc
>you still will need other parameters to configure the proxies.

I also suggest you consider firewall primitives should include
content searching - either on originated or returned content,
as well as vectoring to a VPN or trusted interface. Possibly
also include primitives for redirecting traffic and possibly
simulating a session start, so the firewall can interact
effectively with things like honeyd.

mjr.

---
Marcus J. Ranum				http://www.ranum.com
Computer and Communications Security	mjr@ranum.com

• Next message: Paul Robertson: "[fw-wiz] QoS and P2P?"
• Previous message: Emmanuel: "Re: [fw-wiz] maybe OT: web appliaction security products (AKA application firewalls)"
• Maybe in reply to: Cat Okita: "[fw-wiz] Firewall Primitives"
• Next in thread: George Capehart: "Re: [fw-wiz] Firewall Primitives"
• Reply: George Capehart: "Re: [fw-wiz] Firewall Primitives"
• Reply: Cat Okita: "Re: [fw-wiz] Firewall Primitives"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: What is the Pattern here ? ... These are all Dialup Connections that I had no connection with at the time. ... It's obviously an enormous security hole, ... > and a real firewall box. ... (comp.security.firewalls) Re: Black Ice confesses faulty program!!! ... > outgoing connections or traffic except in cases where these connections ... > "dangerous/suspicious" traffic by the BlackICE program. ... > get into your machine then even a PC *without* a firewall is completely ... If you don't think "Spyware" is a problem for computer ... (comp.security.firewalls) Re: Port 135 ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ... (microsoft.public.security) Re: Networking/Security Question... ... The router itself will be a Cisco 1721. ... >setup is very simple... ... XP sp2 having the firewall on by default. ... > # but deny established connections that don't have a dynamic rule. ... (freebsd-net) Re: XPsp2 firewall - bug? - disables on certain networks ... Firewall Settings for Microsoft Windows XP with Service Pack 2" document ... Even if the DNS suffix is different, the computer can get a new policy from ... manually enter the DNS server and suffix settings for all connections. ... (comp.security.firewalls)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint