RE: [fw-wiz] FW appliance comparison - Seeking input for the forum



-----Original Message-----
Subject: RE: [fw-wiz] FW appliance comparison - Seeking input for the forum


> Peer-to-peer and IM are about controlling what someone does, not really
security. Both of
> those are controllable by local machine policy, especially in the Windows
case- so an IDS is
> a pretty expensive thing to manage just so your visitors don't do
something you don't want
> them to do- and QoS would be about as effective in the P2P space.

I categorically disagree with your first statement. To illustrate my point,
fire up your favorite Kazaa or Gnutella client and search for 'ntuser.dat'
And there's always: http://isc.sans.org/diary.php?storyid=917

There are more reasons why it's a bad idea to allow these things across your
Internet border, and since it's an issue of crossing that border, it's
easier to manage detection and enforcement at those points than it is to do
it directly at each desktop.


> Actually, I think the moral of the story is it's still good to use a
proxy...

But not just any proxy. There are lots of proxies out there that simply
don't deliver the type of protocol control that is needed. In fact, I would
say that none of the top 3 border proxies out there can stop IM tunneling
from clients like MSN or Yahoo.

PaulM


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards