RE: [fw-wiz] Firewalls Compared

From: Jim Seymour (jseymour_at_linxnet.com)
Date: 06/29/04

  • Next message: George Capehart: "Re: [fw-wiz] Firewalls Compared"
    To: firewall-wizards@honor.icsalabs.com
    Date: Tue, 29 Jun 2004 10:19:11 -0400 (EDT)
    
    

    "Stiennon,Richard" <Richard.Stiennon@gartner.com> wrote:
    >
    > Am I the only one that sees a huge difference between an application
    > proxy (ala the good old days of server based firewalls) and filters
    > that are applied to payloads (ala Network Intrusion Prevention) by
    > inline network devices?

    Er... no? (Depending on how you define "filter.")

    >
    > Let's keep in mind that stateful inspection firewalls are GREAT
    > security devices. They protect over 80% of enterprise networks today.

    FSVO "protection." Their popularity does not, of necessity, make them
    the best solution.

    > SQL Slammer cannot get through a firewall with port 1443 blocked. Same
    > for MSBlaster, Welchia etc.

    Those can't get through my little NAT DSL router at home, but I hardly
    refer to that NAT box as a "firewall."

    >
    [snip]
    >
    > Worms generally target Microsoft vulnerabilities. Are you going to
    > write application proxies for Exchange? ASN 1? Does anyone other than
    > MSFT even know how these applications communicate? Not.

    Which is as good a reason as any other, perhaps a better reason, not to
    allow such things through whatever you use that passes as a firewall.

    What an... interesting argument. It's a proprietary protocol that we
    do not, and likely can not, know anything about, so we just let it in
    and hope for some internal, after-the-fact defenses to deal with it?

    > But, you know
    > what the vulnerability looks like and could look at traffic and
    > identify malicious activity even without signatures.

    I'm trying to reconcile "know what the vulnerability looks like" with
    "even without signatures," and failing miserably.

    > The future of
    > network security is all about inspecting traffic. It is not about
    > application proxies.

    In your opinion. Personally, I prefer defense-in-depth. Try to keep
    it from getting in, in the first place. Assume something will defeat
    my border defenses, and so harden everything inside as best I can [*]
    and deploy internal detection and reactive defenses.

    [*] "As best I can" amounts to what's technically possible, as much
        as possible w/o crippling usability beyond tolerable limits.

    Without meaning to be insulting, really, I do have to say that if
    Mr. Stiennon's position is common amongst the analysts at Gartner,
    that organization's cache' has just taken a *major* hit in my eyes.

    Perhaps I'm missing/misunderstanding something. If so: Somebody
    kindly enlighten me?

    Jim
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: George Capehart: "Re: [fw-wiz] Firewalls Compared"

    Relevant Pages

    • Re: [fw-wiz] Firewalls Compared
      ... > are applied to payloads (ala Network Intrusion Prevention) by inline ... Firewalls MUST be in a default DENY mode. ... proxy for those protocols *and* they are not documented. ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Firewalls Compared
      ... Am I the only one that sees a huge difference between an application proxy (ala the good old days of server based firewalls) and filters that are applied to payloads (ala Network Intrusion Prevention) by inline network devices? ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Firewalls v. Router ACLs
      ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...
      (Firewall-Wizards)
    • [fw-wiz] IDS/IPS and LOGS
      ... nasty behavior is happening on your network (where your network is ... easily turn your IPS into a big denial of service attack. ... My guess is that most of the Worlds firewalls and IDS/IPS only have half ... I noticed that there is a big emphasis on log parsing while there should ...
      (Firewall-Wizards)
    • Re: Establish persistant outbound connection for covert application
      ... which firewalls are running etc.) and then communicate its ... the actual network layer. ... They do have 2 network interfaces in case I want to chain them between a PC ... They also have a wireless interface so I can hook into the machine if I am ...
      (Security-Basics)