Re: [fw-wiz] netscreen proxies??

From: Paul Robertson (proberts_at_patriot.net)
Date: 05/25/03

  • Next message: Barney Wolff: "Re: [fw-wiz] Adding 2ndary IP to IPSO" 
    To: Adam <controls@attbi.com>
Date: Sat, 24 May 2003 20:58:39 -0400 (EDT)

    On Sat, 24 May 2003, Adam wrote:

    > Can anyone tell me what real application proxies capabilities are in a
    > netscreen? I looked at it a few years ago and only saw proxies at the
    > transport layer. I saw a rep at a trade show recently that told me that
    > current generation netscreen provides deep layer 7 inspection for numerous
    > protocols.

    [I don't know about Netscreen in particular, but this is a generic issue
    these days...]

    "Layer 7 inspection" doesn't necessarily mean "application proxy," and
    hasn't for quite some time. For some things, it may provide a similar
    level of control, for others it won't, and it really depends on how much
    stack-like behaviour there is in the product (which gets us to stack-like
    bugs...)

    With a proxy, you pretty much know that there's a functional client and
    mostly-functional server. With "inspection," it's pretty darned difficult
    to figure out what's inside the box. I've yet to see any commercial
    vendor enurmerate very well at all, what inspection happens, and what
    impact it has on the protocol for a particular firewall product.

    We've all seen what happens when "inspection" happens to FTP, and things
    like H.323 don't give me warm fuzzies at all when it comes to "inspection"
    and firewalls. Heck, I'm not at all sure I've seen anyone touting any
    sort of protection from an HTTP inspection engine for anything that wasn't
    trivial.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    proberts@patriot.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Barney Wolff: "Re: [fw-wiz] Adding 2ndary IP to IPSO"

    Relevant Pages

    • Re: What do you think of my acces list?
      ... These ACEs would not be necessary if you were using "inspection" on an internal interface to provision the return path (temporary dynamic holes in the firewall). ... " permit udp any eq domain any " ... If you were trying to accommodate DNS "responses" resulting from queries initiated by internal clients, I would have expected the generic UDP inspection to provision the return path for this return traffic. ...
      (comp.dcom.sys.cisco)
    • Re: [fw-wiz] Firewalls that generate new packets..
      ... depend upon either statelessness or guessing the next sequence ... than a "stateful" firewall. ... Is "deep packet inspection" stream inspection? ... I am not convinced that the vendors that are selling "deep packet ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Firewalls that generate new packets..
      ... behind the firewall then it's a layer-7 problem for the service ... regexp match causes packet drop ... is exactly why I used the term "placebo" for "stateful ... inspection"; accupuncture patients report the same degree ...
      (Firewall-Wizards)
    • Re: Kerio PFW 2.14 - Safe?
      ... If Kerio 2.14/5 states it's stateful, ... inspection is a type of inspection... ... the rules set the firewall applies. ...
      (comp.security.firewalls)
    • Re: MOT query
      ... In article, Paul says... ... inspection but then subsequently failed on the brake tester. ... I hate everybody equally. ...
      (uk.rec.cars.maintenance)
    • Quantcast