Re: [fw-wiz] Evolution of Firewalls

From: Dave Piscitello (dave_at_corecom.com)
Date: 03/09/04

  • Next message: Frederick M Avolio: "Re: [fw-wiz] Evolution of Firewalls" 
    To: Frederick M Avolio <fred@avolio.com>, <firewall-wizards@honor.icsalabs.com>
Date: Tue, 09 Mar 2004 13:26:02 -0500

    At 03:14 PM 3/8/2004 -0500, Frederick M Avolio wrote:
    >At 02:37 PM 3/8/2004 -0500, Dave Piscitello wrote:
    >>Lots of names for the same security functionality: examining application
    >>headers and application data streams for attacks and blocking them. You
    >>can and some vendors still do this using proxy architecture, while some
    >>use the same stateful packet inspecting methods they used to examine
    >>network protocol headers.
    >
    >well, yeah but not really. That is the problem. All different names for
    >slightly different ways of doing things. The the devil is in the
    >difference. But some people have lost those differences in the marketing
    >noise, if they ever understood the differences.

    Emphasis on "functionality" not implementation, and "inspect all things
    that ought to have their own port # but are now tunneled through port
    80"(primarily, not exclusively). May the "don't proliferate port number
    assignment" gods forgive what I suggest here but I honestly don't think we
    make life any easier by creating one gaping hole than several dozen
    possibly containable ones.

    >>The most secure firewall? Probably has less to do with proxy vs. stateful
    >>inspection than policy, implementation/configuration, and the admin at
    >>the policy console.
    >
    >I disagree. Both are important. The greatest policy then only gives you as
    >much security as your security mechanisms will allow.

    Again, emphasis. I am saying that I'd rather have a competent staffer
    administering my stateful inspection firewall than one less competent
    administering my proxy.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Frederick M Avolio: "Re: [fw-wiz] Evolution of Firewalls"

    Relevant Pages

    • Re: Video4Linux header files
      ... assuming that the existence of the v4l2 headers guarantees that the ... OS supports the v4l2 api, so the program doesn't even try to check/use ... ignoring it or removing v4l* support. ... port to not install the headers if they are already in the base system); ...
      (freebsd-current)
    • Re: Sophos and Virus return mail
      ... > headers if you inspect them, but that will be simply the Windows ... Sadly, I don't think ISPs pay much attention to "abuse" e-mail, though. ... I've never gotten a response to an abuse report. ... I knew what you meant about port 25.. ...
      (FreeBSD-Security)
    • strange apache log entry
      ... reading the ... It seems like someone wants to connect to my port 2121 through a proxy. ... is this a bug in apache, ...
      (Incidents)
    • Re: http.post dropping trailing }
      ... http.post(uri, data, headers) ... Listening on port 38449 ... def initialize ... s.close rescue nil ...
      (comp.lang.ruby)