RE: [fw-wiz] Firewalls Compared

• Next in thread: Ben Nagy: "RE: [fw-wiz] Firewalls Compared"
• Maybe reply: Ben Nagy: "RE: [fw-wiz] Firewalls Compared"
• Maybe reply: Marcus J. Ranum: "RE: [fw-wiz] Firewalls Compared"
• Maybe reply: Jim Seymour: "RE: [fw-wiz] Firewalls Compared"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Stiennon,Richard'" <Richard.Stiennon@gartner.com>, <firewall-wizards@honor.icsalabs.com>
Date: Tue, 29 Jun 2004 17:45:49 +0200

Hi,

> -----Original Message-----
> From: firewall-wizards-admin@honor.icsalabs.com
> [mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf
> Of Stiennon,Richard
[...]
> Am I the only one that sees a huge difference between an
> application proxy (ala the good old days of server based
> firewalls) and filters that are applied to payloads (ala
> Network Intrusion Prevention) by inline network devices?

No. :)

> Let's keep in mind that stateful inspection firewalls are
> GREAT security devices.[...]

Stuff I agree with snipped.

> Are you
> going to write application proxies for Exchange? ASN 1? Does
> anyone other than MSFT even know how these applications
> communicate? Not. But, you know what the vulnerability looks
> like and could look at traffic and identify malicious
> activity even without signatures.

OK, but here's the rub - how are you going to identify, without signatures,
what is malicious without understanding the communication in depth? At some
level, the problem will always come down to the same thing. All the vendors
(including us [1]) that do "protocol anomaly detection" have a set of
expected behaviours, and a set of "this type of behaviour is always gonna be
bad" things that will set off alarms. However this technology can just as
easily be applied by a "firewall" when doing "deep inspection", or by a
Network IPS when doing "intelligent heuristic threat identification" or
buzzword equivalent.

Basically, it all gets down to semantics. I will agree, though, that it is
much, much easier to 'redpoint' portions of the communication protocol in
order to enforce rules and stop certain generic attack types without relying
on signatures. Writing a full application proxy is always going to be harder
than that.

Then again, you could do what Gauntlet did and just copy paste the plug
proxy ten times and give it different names, and then apply your "anomaly
detection" to that stream. Voila, you just invented a Deep Inspect-o-Tron
Application Fireweasel.

> The future of network
> security is all about inspecting traffic. It is not about
> application proxies.

A lot of people are probably about to argue that those two things converge
to a limit at which they are functionally equivalent. I'm going to resist
biting on the "future of network security" prognosis - I guess that habit
must get ingrained after a while. ;)

Anyway, I do completely agree that more flexible and accurate techniques are
required to identify and block malicious traffic. Ports and IPs sure aren't
enough, and signatures are a waste of time, given the strong trend towards
zeroday or "effectively" zeroday attacks.

As I've said before, I see a lot of value in better ways to "mitigate
vulnerabilities" especially unknown and non-signature friendly ones - I also
think that the closer you can get to the host the better (to better cover
multiple attack vectors), but we just went there did that discussion a few
weeks ago.

> -Richard Stiennon

Cheers,

ben

[1] Yeah, yeah, disclaimer, I work for eEye, we have a host-based IPS, apply
pinches of salt to taste. Heck, just ignore me completely - but if you
patent a Deep Inspectotron Application Fireweasel then I want 15%.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Next in thread: Ben Nagy: "RE: [fw-wiz] Firewalls Compared"
• Maybe reply: Ben Nagy: "RE: [fw-wiz] Firewalls Compared"
• Maybe reply: Marcus J. Ranum: "RE: [fw-wiz] Firewalls Compared"
• Maybe reply: Jim Seymour: "RE: [fw-wiz] Firewalls Compared"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] How to Save The World (was: Antivirus vendor conspiracy theories) ... >> Some protocols are easier to proxy than others. ... >> Oh hell, if you want to speak about deep inspection, why not ... A DIAF tends to make me think of a default allow ... (Firewall-Wizards) RE: bypassing employers proxy to surf anonymously ... The proxy box) ... If he is on a company network and I'm ... from monitoring your traffic over that network. ... You have an option to go with a managed service (Cenzic ... (Pen-Test) Rogue activity methodology (was: Tool to find hidden web proxy server) ... Suspects one or more of these IPs have setup a rogue proxy ... No indication if the internal network is switched or repeated ... So if he's running a class B, nmap is going to spend a whole lot of time ... (Pen-Test) RE: 504 Proxy timeout only with SSL traffic ... Hi I setup an access rule as you requested and tried it with web proxy off on ... the DMZ network is considered External to the ... And can access all other HTTPS sites on the internet? ... that there may be something wrong with the proxy engine on the ISA, ... (microsoft.public.isa) Re: Update: UDP 770 Potential Worm ... > the network immediately after the 'attack', ... were no packets indicating some form of replication. ... I noticed that the UDP ... > of the UDP datagrams is the IP address of the proxy? ... (Incidents)