RE: [fw-wiz] so much for "deny all"

• Previous message: Paul Melson: "RE: [fw-wiz] Strange Pix behavior."
• In reply to: Paul Melson: "RE: [fw-wiz] so much for "deny all""
• Next in thread: Rob Hughes: "Re: [fw-wiz] so much for "deny all""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Fri, 17 Jun 2005 10:22:09 +1200 (NZST)

Paul Melson said:
>[snip]
> I think it's much ado about nothing (both the panic and the hype). The
> real
> issue is the same issue that's been plaguing networks since the first
> "stateful" firewalls shipped to customers: it is easier to adopt a sloppy
> trust model than it is to discover, document, and enforce a strict traffic
> policy. Despite the obvious problems firewall vendors are ultimately
> just
> vendors. They must move units, and therefore their products have features
> that appeal to our lazy networks and lax policies.

Possibly what they are referring to is the multitude of applications which
tunnel traffic over innocuous ports. Almost anything can be tunnelled over
http/https now - just take a look at "firewall friendly" SSL-VPNs which
happily pass through proxies to connect an outside endpoint to the
internal desktop PC. Even fairly lame stuff like gotomypc.com is getting
harder to manage as it becomes more common.

So the firewalls now have to do "deep inspection" to try to pick out and
manage this crap being tunnelled, and the poor security administrator is
being forced to take a stance where he has to permit everything and make
some attempt to pick out the rubbish which is deeply hidden and probably
even encrypted.

Not surprisingly, plenty of vendors who sell the tunnelling technology (
like SSL VPNs ) now need to sell new firewalls which need "deep
inspection" to manage the tunnels.

Kerry

-- 
Kerry Thompson, CCNA CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Paul Melson: "RE: [fw-wiz] Strange Pix behavior."
• In reply to: Paul Melson: "RE: [fw-wiz] so much for "deny all""
• Next in thread: Rob Hughes: "Re: [fw-wiz] so much for "deny all""
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Exchange Outlook und Sygate Personal Firewall ... > Ich versuche per Outlook mein Exchange Postfach abzurufen. ... wenn meine Sygate Personal Firewall deaktiviert ist. ... Ich hab deinen Beitrag so verstanden, daß der Tunnel nur aufgebaut ... (microsoft.public.de.exchange) Re: Telnet over WAN latency troubleshooting ... up an SNMP rule on the firewall central site firewall and let the Alpha ... the tunnel they should not be aware of the traffic type... ... either to the customer central site or our own location. ... the latency is very obvious; when we telnet back to ... (comp.os.vms) RE: How safe is a VPN connexion from within an internal network? ... Your biggest problem will be that with a tunnel originating behind your ... firewall, all the tunnel traffic through your firewall is encrypted and ... How safe is a VPN connexion from within an internal network? ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... (Security-Basics) IPSEC tunnel & setkey, How do I tell if setkey worked? ... now I want it to be an IPSEC tunnel endpoint. ... another freeBSD box first, and maybe eventually a Watchguard firebox2 ... firewall "appliance". ... My kernels have the IPSEC and IPSEC_ESP options included. ... (FreeBSD-Security) Re: Reverse Shell? ... >> behind a firewall so I can't ssh into their computer. ... > follow the tunnel back to their machine and then help them. ... Connections to that port will be forwarded through the ... (Debian-User)