Re: [fw-wiz] medical records, web server, & stateful firewall vs packet filter

From: Adam Greene (maillist_at_webjogger.net)
Date: 11/18/05

  • Next message: R. DuFresne: "Re: [fw-wiz] Non-NAT Firewall"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Fri, 18 Nov 2005 09:38:40 -0500
    
    

    Paul and Jeff,

    Thanks to both of you for your responses, which I found very useful. Paul,
    you're right of course that focusing on firewalls and packet filters will be
    close to useless if there is no application-level security. And the DoS
    concerns are secondary to preventing system compromise. In general what I'm
    getting from the feedback which you and others have provided is that the DoS
    issues really are secondary at this point.

    thanks again,
    Adam

    ----- Original Message -----
    From: "Paul Melson" <pmelson@gmail.com>
    To: "'Adam Greene'" <maillist@webjogger.net>;
    <firewall-wizards@honor.icsalabs.com>
    Sent: Thursday, November 10, 2005 4:35 PM
    Subject: RE: [fw-wiz] medical records, web server, & stateful firewall vs
    packet filter

    > -----Original Message-----
    > Subject: [fw-wiz] medical records, web server, & stateful firewall vs
    packet
    > filter
    >
    > > My question at this point is: am I making a mistake by placing a
    stateful
    > firewall between
    > > the webserver and the Internet? Maybe a simple packet filter would be
    > less prone to DoS
    > > attacks. I could stick a Cisco 2800 there instead. I have always
    believed
    > that a stateful
    > > firewall device like a PIX or ASA 5500 would offer better overall
    > protection than a packet
    > > filter (I need to limit access to the image and SQL servers too), but
    some
    > feedback I've
    > > received recently is causing me to question this assumption.
    >
    > I think you're off-target to be worrying about DoS attacks over attacks
    that
    > lead to the compromise of this system or disclosure of data contained
    within
    > (especially because healthcare data is regulated/protected in many
    > countries). I think you're also relying too heavily on the web server
    and
    > the web app to be secure, which they probably aren't. And since the web
    app
    > has access to the SQL database and the image files you're trying to
    protect,
    > it's likely to be your soft spot. Layer 3 filters are useful out front
    and
    > between the front-end and back-end servers, but they're just a start. You
    > need to look at application security either through app testing and
    > assurance or through some sort of protective reverse proxy.
    >
    > PaulM
    >
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    > ---
    > [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection
    System]
    >
    >

    ---
    [This e-mail was scanned for viruses by Webjogger's AntiVirus Protection System]
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: R. DuFresne: "Re: [fw-wiz] Non-NAT Firewall"

    Relevant Pages

    • Re: Algorithm suggestions
      ... protection to a transmitted packet. ... the final packet is sent using SSL. ... This is not a "second layer of protection", ...
      (sci.crypt)
    • Re: Source IP spooffed?
      ... Base your source of origin of the packet off of the ... accessible machines on the DMZ, protected from the internet by NAT, IDS, ... IDS/firewall on everything adds another layer of protection. ...
      (comp.os.linux.security)
    • Re: Microsoft Web Proxy Event ID: 14120
      ... The ISA Server services cannot create a packet filter 170.xxx.xxx.xxx. ...
      (microsoft.public.isa)
    • Re: TTL based firewall attacks
      ... Describe an attack where an attacker can elude this ... Note that a packet received by the packet filtering firewall with ... The first would fail with a competently run FTP server or ... required packet reassembly or properly written packet filter code. ...
      (comp.security.firewalls)
    • Re: weird sequence in packet filter log
      ... weird sequence in packet filter log ... The pattern you are seeing is indicative of a broken NATing firewall ... on the part of a content provider. ...
      (Incidents)