Re: [fw-wiz] VM system for firewall use

From: Paul D. Robertson (
Date: 10/12/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] VM system for firewall use"
    To: ArkanoiD <>
    Date: Tue, 12 Oct 2004 11:25:55 -0400 (EDT)

    On Tue, 12 Oct 2004, ArkanoiD wrote:

    > > 1. The filter gets all data anyway, so all data going through the proxy
    > > is immediately subject to compromise (i.e. the filter can pass back
    > > *anything* to compromise an internal machine (say send the next IE browser
    > > a GDI exploit?) and the internal systems talk to the proxy.
    > No, the proxy is not at all that dumb to get data from the filter back and
    > to use it blindly. Its iterface to filter is restricted;
    > filter may be not allowed to modify content at all - just instruct proxy with
    > simple actions.
    > That's a design issue i should keep in mind.

    That's a good design- hopefully the marketing folks that are driving the
    changes don't "need" the filtering product to pass back
    this-is-why-we-blocked-you HTML, which seems to be the typical chance for
    the filtering product manufacturers to get their "brand" in front of the
    Web browser, or to make the filter a stand-alone product.

    It still amazes me when folks writing security software *design* it well-
    I've become very jaded over the years.

    Paul D. Robertson "My statements in this message are personal opinions which may have no basis whatsoever in fact." Director of Risk Assessment TruSecure Corporation
    firewall-wizards mailing list

  • Next message: Paul D. Robertson: "Re: [fw-wiz] VM system for firewall use"