Re: [fw-wiz] A fun smackdown...
From: Chuck Swiger (chuck_at_codefab.com)
Date: 05/19/05
- Previous message: Ben Nagy: "RE: [fw-wiz] A fun smackdown..."
- In reply to: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- Reply: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- Reply: Joseph S D Yao: "Re: [fw-wiz] A fun smackdown..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Paul D. Robertson" <paul@compuwar.net> Date: Thu, 19 May 2005 09:57:42 -0400
On May 19, 2005, at 9:04 AM, Paul D. Robertson wrote:
> On Tue, 17 May 2005, Martin wrote:
>> "Be liberal in what you accept; be strict in what you send."
>
> _All_ effective security controls break that tenet. The more liberal
> your
> controls, the more risk you assume.
There is more to an effective security control than only denying stuff!
I think you're over-valuing the utility of "deep protocol inspection",
Paul, and you seem to be ignoring the risks of denying legitimate
connections which should have been permitted.
An effective security measure needs to implement the security policy.
It needs to permit the types of access that legitimate users are
allowed to have, for the system-- meaning the network, the firewall,
and the server(s) or other equipment being used-- to work correctly.
This is just as important as denying access to stuff that is not
permitted by the security policy.
Has "fixup protocol smtp 25" actually done much to prevent a vulnerable
M$ Exchange box from being owned, or helped control the flow of
spammy/virusized traffic significantly? Does it help control outbound
malicious SMTP traffic? Has it ever happened that a firewall itself
ends up with buffer overflow bugs in it's own code, trying to implement
all the per-protocol stuff?
If you want to manage SMTP securely, blocking port 25 in both
directions while permitting only your MX box(es) through would do a
heck of a lot more good than the protocol inspection does.
-- -Chuck _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Ben Nagy: "RE: [fw-wiz] A fun smackdown..."
- In reply to: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- Next in thread: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- Reply: Paul D. Robertson: "Re: [fw-wiz] A fun smackdown..."
- Reply: Joseph S D Yao: "Re: [fw-wiz] A fun smackdown..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
