Re: [fw-wiz] VM system for firewall use

From: Paul D. Robertson (paul_at_compuwar.net)
Date: 10/12/04

  • Next message: Paul D. Robertson: "Re: [fw-wiz] VM system for firewall use"
    To: ArkanoiD <ark@eltex.net>
    Date: Tue, 12 Oct 2004 11:25:55 -0400 (EDT)
    
    

    On Tue, 12 Oct 2004, ArkanoiD wrote:

    > > 1. The filter gets all data anyway, so all data going through the proxy
    > > is immediately subject to compromise (i.e. the filter can pass back
    > > *anything* to compromise an internal machine (say send the next IE browser
    > > a GDI exploit?) and the internal systems talk to the proxy.
    >
    > No, the proxy is not at all that dumb to get data from the filter back and
    > to use it blindly. Its iterface to filter is restricted;
    > filter may be not allowed to modify content at all - just instruct proxy with
    > simple actions.
    >
    > That's a design issue i should keep in mind.

    That's a good design- hopefully the marketing folks that are driving the
    changes don't "need" the filtering product to pass back
    this-is-why-we-blocked-you HTML, which seems to be the typical chance for
    the filtering product manufacturers to get their "brand" in front of the
    Web browser, or to make the filter a stand-alone product.

    It still amazes me when folks writing security software *design* it well-
    I've become very jaded over the years.

    Paul
    -----------------------------------------------------------------------------
    Paul D. Robertson "My statements in this message are personal opinions
    paul@compuwar.net which may have no basis whatsoever in fact."
    probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Paul D. Robertson: "Re: [fw-wiz] VM system for firewall use"