RE: [fw-wiz] Firewalls Compared

From: Stiennon,Richard (Richard.Stiennon_at_gartner.com)
Date: 06/29/04


To: <firewall-wizards@honor.icsalabs.com>
Date: Mon, 28 Jun 2004 23:52:21 -0400

Am I the only one that sees a huge difference between an application proxy (ala the good old days of server based firewalls) and filters that are applied to payloads (ala Network Intrusion Prevention) by inline network devices?

Let's keep in mind that stateful inspection firewalls are GREAT security devices. They protect over 80% of enterprise networks today. SQL Slammer cannot get through a firewall with port 1443 blocked. Same for MSBlaster, Welchia etc.

However, worms can come in through infected laptops or third party connections. When they connect directly to the corporate LAN you are toast. It turns out IPS is great at blocking worms and it is easier to deploy IPS internally because policy setting is simple: MS Blaster yes/no?

Worms generally target Microsoft vulnerabilities. Are you going to write application proxies for Exchange? ASN 1? Does anyone other than MSFT even know how these applications communicate? Not. But, you know what the vulnerability looks like and could look at traffic and identify malicious activity even without signatures. The future of network security is all about inspecting traffic. It is not about application proxies.

-Richard Stiennon

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com]On Behalf Of Marcus J.
Ranum
Sent: Monday, June 28, 2004 2:56 PM
To: ark@eltex.net; Laura Taylor
Cc: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] Firewalls Compared

ArkanoiD wrote:
>I've found that articles
>are written from "packet filter" point of view, paying almost no
>attention to application protocol support

With the increasing focus on application layer attacks, the day
of packet-filters even being termed "firewalls" is pretty much over.
Packet filters were barely firewalls to begin with, but today, the
fight's mostly up in Layer 7 where they have no value.

Of course "we told you so" applies. ;)

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: [fw-wiz] Firewalls Compared
    ... > proxy (ala the good old days of server based firewalls) and filters ... > that are applied to payloads (ala Network Intrusion Prevention) by ... > Let's keep in mind that stateful inspection firewalls are GREAT ... my border defenses, and so harden everything inside as best I can ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Firewalls Compared
    ... > are applied to payloads (ala Network Intrusion Prevention) by inline ... Firewalls MUST be in a default DENY mode. ... proxy for those protocols *and* they are not documented. ...
    (Firewall-Wizards)
  • RE: CodeRed Observations.
    ... Check your filters. ... filter that doesn't show the handshake, so that you can concentrate on the ... >> up at my firewalls without ever establishing a TCP three ... > Take back your personal time. ...
    (Incidents)
  • Re: Protocol Specific Intrusion Detect/Prevention Systems.
    ... lists, mainly asking about firewalls and filters. ... Well, for some time now I have been researching within the realm of filters, ... IDSs and IPSs for limitations within these areas for my ...
    (Security-Basics)
  • Re: Hardware Firewall Recommendation
    ... >>Some firewalls use application proxies rather than packet filters. ... specifying url filters to prevent uploads/downloads of specific urls ...
    (comp.security.firewalls)