Re: [fw-wiz] FW appliance comparison - Seeking input for the forum


On Wed, Jan 18, 2006 at 03:27:20PM -0500, Paul Melson wrote:

> > Why would you want a signature based IDS at all? They don't work.
> > Period. Enumerating badness is a silly idea.
> Sure they do. The premise may be flawed, but the technology works, even if
> it falls into the "better than nothing" category. They're smoke detectors
> for a small subset of possible fires. Using one is still better than
> letting the house burn to the ground each and every time there's a fire.

You are correct and I oversimplified the issue. They are useful.
They don't increase the "security" of flawed firewall
designs, though.

> See my previous post. Just because you enforce HTTP over TCP/80 with a
> proxy doesn't mean you're keeping all of the garbage out... or in.

I'm not talking about enforcing HTTP. I'm talking about enforcing
application data. I know of a firewall vendor actively developing
an Active Directory proxy enforcing which side of the proxy is
allowed which methods and objects on the other side of the proxy.

There are products that let you configure a positive list of
URLs that your web application uses. Everything else will be
denied. This catches _all_ of "GET /../../../WINDOWS/SYSTEM32/CMD.EXE ..."
and the like. If configured correctly.

Mechanism is nothing without policy. And firewalls are mechanism.

> Not to
> mention that there are plenty of standard, known protocols out there (think
> SQL protocols) that lack a good proxy to manage the actual behavior of the
> connections that cross them.

The very same vendor has got an MS SQL proxy that actually understands

> Not to mention that the real bad guys are tunneling across the
> allowed ports while you sleep.

Firewalls have never been about ports. Most current commercial
offerings are, but I hardly call _these_ firewalls.

Kind regards,
-- GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe
firewall-wizards mailing list

Relevant Pages

  • Re: [fw-wiz] Recommended Open Source Proxy Firewalls
    ... and was interested in investigating open source "proxy firewalls". ... strong proxy for HTTP, because the protocol is ubiqitous, reasonably ...
  • Re: Types of firewall...
    ... > I'm currently working on a firewalls project as part of my degree. ... Static packet filter ... > 2.1 Circuit level proxy ... Packet filtering bridges are firewalls, and even network firewalls, ...
  • Re: How to setup secure developement environment with Internet access?
    ... Most firewalls use IP addresses in rules, ... >>company do force their machine to be proxy clients. ... > have rules lists based on source, destination, and protocol. ... > write a justification to management, and with their permission, you ...
  • Re: Proxy on unusual port
    ... tests on on the proxy checker at show it ... and alerting that software firewalls, like Tiny, have. ... >> network, when it was not on any of the usual ports. ...