Re: [fw-wiz] VM system for firewall use

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 10/12/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] VM system for firewall use"
    To: ArkanoiD <ark@eltex.net>
    Date: Tue, 12 Oct 2004 11:25:55 -0400 (EDT)
    
    

    On Tue, 12 Oct 2004, ArkanoiD wrote:

    > > 1. The filter gets all data anyway, so all data going through the proxy
    > > is immediately subject to compromise (i.e. the filter can pass back
    > > *anything* to compromise an internal machine (say send the next IE browser
    > > a GDI exploit?) and the internal systems talk to the proxy.
    >
    > No, the proxy is not at all that dumb to get data from the filter back and
    > to use it blindly. Its iterface to filter is restricted;
    > filter may be not allowed to modify content at all - just instruct proxy with
    > simple actions.
    >
    > That's a design issue i should keep in mind.

    That's a good design- hopefully the marketing folks that are driving the
    changes don't "need" the filtering product to pass back
    this-is-why-we-blocked-you HTML, which seems to be the typical chance for
    the filtering product manufacturers to get their "brand" in front of the
    Web browser, or to make the filter a stand-alone product.

    It still amazes me when folks writing security software *design* it well-
    I've become very jaded over the years.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul D. Robertson: "Re: [fw-wiz] VM system for firewall use"

    Relevant Pages

    • Re: Afternoon scores ...
      ... McCain Falls Flat with Vets Group ..... ... same thing via a proxy on thier own PC - FOR FREE. ... to someone else.They can fine tune it any way THEY prefer. ... I can filter individuals but I would ...
      (rec.boats)
    • Re: Blocking Access to web-based email
      ... > two different proxy servers, one filtered, and one ... > authentication, the other non-filtered proxy ... > full access can log into ProxyPro, ... It can filter IM by examining the packets, so it can't be fooled by falling ...
      (comp.security.firewalls)
    • Re: Afternoon scores ...
      ... McCain Falls Flat with Vets Group ..... ... same thing via a proxy on thier own PC - FOR FREE. ... to someone else.They can fine tune it any way THEY prefer. ... I can filter individuals but I would ...
      (rec.boats)
    • Re: Proxy Server - web filtering?
      ... A word filter is only going to be partially effective. ... Expanding it to include other detestable words, can end up blocking ... certain addresses, and you can use their block list, with a local proxy, ... and the Squid documentation has hints about blocking ...
      (alt.os.linux.redhat)
    • Re: URL Filtering by User or IP or MAC
      ... Are you looking for a firewall device to do the job or something more ... Take a look at the BlueCoat proxy ... device if you want to filter web traffic based on IP, User, Keyword, ... A BlueCoat proxy will also filter out any viruses that are ...
      (comp.security.firewalls)