Re: [fw-wiz] Evolution of Firewalls

• Previous message: Dave Piscitello: "Re: [fw-wiz] Evolution of Firewalls"
• In reply to: Dave Piscitello: "Re: [fw-wiz] Evolution of Firewalls"
• Next in thread: Christian Kreibich: "Re: [fw-wiz] Evolution of Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Dave Piscitello <dave@corecom.com>, <firewall-wizards@honor.icsalabs.com>
Date: Tue, 09 Mar 2004 13:41:34 -0500

At 01:26 PM 3/9/2004 -0500, Dave Piscitello wrote:
>Emphasis on "functionality" not implementation, and "inspect all things
>that ought to have their own port # but are now tunneled through port
>80"(primarily, not exclusively). May the "don't proliferate port number
>assignment" gods forgive what I suggest here but I honestly don't think we
>make life any easier by creating one gaping hole than several dozen
>possibly containable ones.

Well, if we talk "functionality" we can say *functionally* a Firewall-1, a
Sidewinder, and my ADSL modem are functionally the same. Distinctions are
very important here.

A few months ago I moderated a panel of solution providers, in which the
assertion was made that all firewalls basically just filter on IP packets.
(See http://www.avolio.com/weblog/security/WhatFirewallsDo.html) I know you
aren't saying that, of course, but there are security-significant
differences in technology and implementation.

>Again, emphasis. I am saying that I'd rather have a competent staffer
>administering my stateful inspection firewall than one less competent
>administering my proxy.

And I say this is a false dilemma. That is *never* the choice.

f

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Dave Piscitello: "Re: [fw-wiz] Evolution of Firewalls"
• In reply to: Dave Piscitello: "Re: [fw-wiz] Evolution of Firewalls"
• Next in thread: Christian Kreibich: "Re: [fw-wiz] Evolution of Firewalls"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: PLINK and/or PuTTY -- Logon to Linux with no Privileges ... There are firewalls that can detect this sort of thing, ... We've tried just regular VNC, with no luck, then tried it on port 80, ... were easily broken out of because, well, they're shell scripts! ... (comp.security.ssh) Re: How to Stealth POP3 Port 110 using NIS2000? ... > What do you want to protect by 'stealth-ports'? ... > stealthed port protects your privacy, 'cause I really don't get it. ... I can't answer that as I am no expert on firewalls. ... (comp.security.firewalls) Re: How to Stealth POP3 Port 110 using NIS2000? ... >> how a stealthed port protects your privacy, 'cause I really don't get it. ... > I can't answer that as I am no expert on firewalls. ... The only thing you risk when not stealthing port 110 is for people to find ... (comp.security.firewalls) Re: firewall question ... > I posted this to the security basics list but nobody answered the ... > answer since they are the ones who have to get around firewalls. ... > connection to me via netcat with a destination port of 80, ... > SecurityFocus' SIA service which automatically alerts you to the ... (Pen-Test) Re: What does a firewall do? ... Forward packets not for H, ... > to node Y (from port P to port Q?) and a reject comes back to H, ... >> Firewalls also provide very good logging capabilities these days, ... >> firewalling appliances inside the network stack. ... (comp.security.firewalls)