Re: [fw-wiz] FW appliance comparison - Seeking input for the forum


On Wed, Jan 18, 2006 at 03:27:20PM -0500, Paul Melson wrote:

> > Why would you want a signature based IDS at all? They don't work.
> > Period. Enumerating badness is a silly idea.
> Sure they do. The premise may be flawed, but the technology works, even if
> it falls into the "better than nothing" category. They're smoke detectors
> for a small subset of possible fires. Using one is still better than
> letting the house burn to the ground each and every time there's a fire.

You are correct and I oversimplified the issue. They are useful.
They don't increase the "security" of flawed firewall
designs, though.

> See my previous post. Just because you enforce HTTP over TCP/80 with a
> proxy doesn't mean you're keeping all of the garbage out... or in.

I'm not talking about enforcing HTTP. I'm talking about enforcing
application data. I know of a firewall vendor actively developing
an Active Directory proxy enforcing which side of the proxy is
allowed which methods and objects on the other side of the proxy.

There are products that let you configure a positive list of
URLs that your web application uses. Everything else will be
denied. This catches _all_ of "GET /../../../WINDOWS/SYSTEM32/CMD.EXE ..."
and the like. If configured correctly.

Mechanism is nothing without policy. And firewalls are mechanism.

> Not to
> mention that there are plenty of standard, known protocols out there (think
> SQL protocols) that lack a good proxy to manage the actual behavior of the
> connections that cross them.

The very same vendor has got an MS SQL proxy that actually understands

> Not to mention that the real bad guys are tunneling across the
> allowed ports while you sleep.

Firewalls have never been about ports. Most current commercial
offerings are, but I hardly call _these_ firewalls.

Kind regards,
-- GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe
firewall-wizards mailing list