[fw-wiz] Future and past firewalls (was "firewalls comparison")

From: ArkanoiD (ark_at_eltex.ru)
Date: 06/25/04

  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Sun/Solaris Checkpoint FW-1 Question"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 25 Jun 2004 14:23:44 +0400
    
    

    nuqneH,

    I've read "Advanced Screening" article on Infosecuritymag site and i'd like to
    share some thoughts on it.

    The fist impression was quite good, i'd say, things are not as bad as i supposed ;-)
    There still IS market for advanced firewalling as i see it and there are
    professionals that are interested in tools for having things controlled.
    But some questions are still unanswered. Those are:

    As i stated before, there are TWO completely different things, both called
    "firewall". Devices for protecting DMZ servers, focused on scalability, fault
    tolerance, high performance, IPS capabilities and DoS resistance. And there are
    devices for protecting LANs, with completely different feature requirements:
    advanced application ispection and granular control. Why do everyone mix those two?
    Diffrent boxes, different designs and sure, different vendors.
    (I've found it to be a very good sign that VPN features are left aside in this
    comparison, looks like people finally realized the obvious thing firewall itself
    is not required to be VPN box, though it usually can ;-))

    On SOAP and other http+xml combos: how do you create security polices
    for passing xml-based messages through firewall? I still do not have this
    feature, but i definitely need it and i'd like to see a wishlist and references
    on how do others implement it.

    The same question applies to IIOP, which was not even noted in the article, though
    2 years ago everyone talked about it.

    Is IPS in its traditional meaning important for proxy firewalls? My personal
    impression that it is more important to have advanced protocol parsing that will
    drop questionable content regardless if there is known vulnerability abused this way
    or not rather that to have up to date "signature database". When i see new
    vulnerability, i often do check if my proxies are paranoid enough. For http/html, it
    is about 70% of "unknown" bad things being blocked a priori. For lpd, it is
    about 100% ;-), for cvs-pserver - 50%, etc etc, YMMV. Does not look good enough to
    rely on it? Sure, but it is just because of my lack of resources to analyse
    vulnerabilities and making content ispection more deep.

    What's wrong with Cyberguard? It was blamed in the article for "legacy design",
    what do they mean?

    Does Netscreen really do in-depth IMAP inspection? The protocol is terribly
    complicated :-(

    P.S. (some advertising ;-)

    Though there still are some corporate, goverment and bank installations of my
    creature, it becomes mostly like academic project at the moment ;-). Here is the
    core code snapshot (sorry, almost no documentation, but it should look familliar to
    you if you have expirience with TIS/NAI fwtk, there even is an API that resembles
    old one so you may compile any fwtk proxy with it). We are interested in any
    commercial proposals on the thing.

    http://milliways.chance.ru/~ark/soft/ADVAopenfwtk-pre2.tar.gz

    $ md5sum ADVAopenfwtk-pre2.tar.gz
    86065d63d96e03479bdba627f279753b ADVAopenfwtk-pre2.tar.gz

    It is pre-release code, so no public license - if you want to use it, just write
    me a email.

    Legacy proxies that did not pass QA are not included, you may get them at fwtk.org
    in "patches" section.
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Marcus J. Ranum: "Re: [fw-wiz] Sun/Solaris Checkpoint FW-1 Question"

    Relevant Pages

    • Re: Query
      ... > This personal firewall was designed as is used so that the company can ... > ability to disable the firewall remotely a vulnerability or does it fall ... By 'disabling' do you mean disabling the filtering part of the firewall ... feature that makes the firewall less secure than is desirable. ...
      (Vuln-Dev)
    • Re: Hacking to Xp box
      ... I think there was a misunderstanding in the firewall point: ... you need to find some vulnerability that could be exploited to run ... > restricts most of the attacks that use anonymous connections. ... > Audit your website security with Acunetix Web Vulnerability Scanner: ...
      (Pen-Test)
    • [NT] Vulnerability in Server Service Could Allow Remote Code Execution (MS06-035)
      ... Vulnerability in Server Service Could Allow Remote Code Execution ... Firewall best practices and standard default firewall configurations ... This port is used to initiate a connection with the affected component. ... Internet to help prevent attacks that may use other ports. ...
      (Securiteam)
    • Re: [F1 Security] Need help to accomplish the following
      ... behavior of the PF firewall. ... Generate a random ID for the IP packets as opposed to incrementing ... running kernel once booted. ... I'd debate with you the viability and usefulness of this feature. ...
      (comp.unix.bsd.openbsd.misc)
    • US-CERT Technical Cyber Security Alert TA04-036A -- HTTP Parsing Vulnerabilities in Check Point Fire
      ... HTTP Parsing Vulnerabilities in Check Point Firewall-1 ... attacks once it has passed through the firewall at the network level. ... vulnerability that is triggered by sending an invalid HTTP request ... attacker is included in the format string for a call to sprintf. ...
      (Cert)