Re: [fw-wiz] Evolution of Firewalls

From: Frederick M Avolio (fred_at_avolio.com)
Date: 03/09/04

  • Next message: Christian Kreibich: "Re: [fw-wiz] Evolution of Firewalls" 
    To: Dave Piscitello <dave@corecom.com>, <firewall-wizards@honor.icsalabs.com>
Date: Tue, 09 Mar 2004 13:41:34 -0500

    At 01:26 PM 3/9/2004 -0500, Dave Piscitello wrote:
    >Emphasis on "functionality" not implementation, and "inspect all things
    >that ought to have their own port # but are now tunneled through port
    >80"(primarily, not exclusively). May the "don't proliferate port number
    >assignment" gods forgive what I suggest here but I honestly don't think we
    >make life any easier by creating one gaping hole than several dozen
    >possibly containable ones.

    Well, if we talk "functionality" we can say *functionally* a Firewall-1, a
    Sidewinder, and my ADSL modem are functionally the same. Distinctions are
    very important here.

    A few months ago I moderated a panel of solution providers, in which the
    assertion was made that all firewalls basically just filter on IP packets.
    (See http://www.avolio.com/weblog/security/WhatFirewallsDo.html) I know you
    aren't saying that, of course, but there are security-significant
    differences in technology and implementation.

    >Again, emphasis. I am saying that I'd rather have a competent staffer
    >administering my stateful inspection firewall than one less competent
    >administering my proxy.

    And I say this is a false dilemma. That is *never* the choice.

    f

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Christian Kreibich: "Re: [fw-wiz] Evolution of Firewalls"

    Relevant Pages

    • Re: PLINK and/or PuTTY -- Logon to Linux with no Privileges
      ... There are firewalls that can detect this sort of thing, ... We've tried just regular VNC, with no luck, then tried it on port 80, ... were easily broken out of because, well, they're shell scripts! ...
      (comp.security.ssh)
    • Re: How to Stealth POP3 Port 110 using NIS2000?
      ... > What do you want to protect by 'stealth-ports'? ... > stealthed port protects your privacy, 'cause I really don't get it. ... I can't answer that as I am no expert on firewalls. ...
      (comp.security.firewalls)
    • Re: How to Stealth POP3 Port 110 using NIS2000?
      ... >> how a stealthed port protects your privacy, 'cause I really don't get it. ... > I can't answer that as I am no expert on firewalls. ... The only thing you risk when not stealthing port 110 is for people to find ...
      (comp.security.firewalls)
    • Re: firewall question
      ... > I posted this to the security basics list but nobody answered the ... > answer since they are the ones who have to get around firewalls. ... > connection to me via netcat with a destination port of 80, ... > SecurityFocus' SIA service which automatically alerts you to the ...
      (Pen-Test)
    • Re: PLINK and/or PuTTY -- Logon to Linux with no Privileges
      ... behind restrictive firewalls so VNC can be tunneled through it. ... tried just regular VNC, with no luck, then tried it on port 80, with no ... or to use a sort-of-restrictive shell for the users. ...
      (comp.security.ssh)