Re: [fw-wiz] (no subject)



On 19/06/06 22:18 -0400, Paul D. Robertson wrote:
<snip>

That's been true of every new protocol in the last 6 or 7 years, if not
longer. If you're going to let users install things, you're going to have
to deal with it. Software restriction policies, ACLs, etc. You can't
give up control of the end platform, then expect to get decent security
by blocking arbitrary ports.

Also, a lot of people have problems with corporate policies not allowing
the opening of ports, or too bureaucratic procedures for doing so. They
can generally expect that HTTP will be open, and hence the desire to
run everything over HTTP. What we need is a proxy which will analyse
HTTP traffic content, and filter _that_.

I mean that we need a proxy which will analyse the contents of the XML
request, and then allow or deny based on that.

If you think this is bad, consider SOAP. XML over HTTP, so no new ports
have to be opened (yay! it just works!). And the XML is a wrapper around
an entirely new protocol, which would at one time have needed a separate
port (and hopefully, a proxy).

Now with application writers deciding that supporting so many platforms
is hard and writing web applications, we have a system where the OS is a
browser, code is dynamic (Javascript and AJAX, anyone?) and all code is
tunneled over a protocol with holes you could drive a truck (or two)
through (HTTP).

Firewalls are turning into a joke here. If you were worried about
tunnels, now start worrying about tunnels in tunnels.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: Web Proxy Filter exception not working
    ... Allow all traffic but HTTP between all protected networks and the ... Unrestricted internet access between all protected networks and the ... The unfiltered protocol is denied so all other HTTP traffic still uses ... The intial connection to the MetroList site uses my unfiltered protocol. ...
    (microsoft.public.isa.configuration)
  • Re: Is HTTP an Async Protocol
    ... If you say that HTTP is 3 layers, which is true in one sense, ... TCP/IP is an asynchronous protocol (like most ... > network protocols). ... >> "asynch" is a term related to programming. ...
    (microsoft.public.dotnet.framework.aspnet)
  • gravagno considers himself an expert like some kind of a tech lawyer an expert on all this
    ... part of Hypertext Transfer Protocol -- HTTP/1.1 ... HTTP Version ... The number is incremented when the format of a message within the ... Transfer-coding values are used to indicate an encoding transformation ...
    (comp.databases.pick)
  • Re: BSTR property returns invalid strings when using multiple sinks
    ... > A connection point event is defined corresponding to each packet that may ... > Now we typically use 2 serial ports. ... One that does proper protocol ... The protocol data and the log data coming from the 2 ...
    (microsoft.public.vc.atl)
  • Re: need explanation from a question for 70-291 exam MS Press bo
    ... the ports and protocols required are: ... IP protocol 50 to send data. ... packet filters, but I am not sure to understand the question this way. ... in front of VPN server w/ L2TP). ...
    (microsoft.public.windows.server.networking)