Re: [fw-wiz] How automate firewall tests


And you can equally argue that proxies were never good to begin
with. Really - the majority of applications out there have no real
layer 7 level proxy so you have to tackle the problem from other
directions. And the off the shell proxies (smtp, dns, http, etc)
don't offer much value since these applications have been tested to
death or the application isn't anymore "protected". What is the
point of recommending a solution that doesn't exist? I am a fan of
proxies but the reality is the firewall - whether it be proxy or
other - is only a small part of the equation.

t.s

On Aug 20, 2006, at 10:35 PM, Marcus J. Ranum wrote:

Isaac Van Name wrote:
You have referred to packet-based
firewalls as being outdated.

I'm not sure if they're "outdated" as much as "never were
particularly good
to begin with"

Remember: popularity is not a reliable gauge of quality. The fact
that most
of the firewalls that are fielded today are packet-based (with a
smidgeon of
state-tracking thrown in) should concern anyone, when the vast
majority
of attacks currently being fielded are above the packet layer. If
you want to
look at things from my (admittedly weird) perspective, the current
fondness
for "patch your software constantly" is proof positive that packet-
based
firewalls don't (and never did) work except for at a very gross level.

The architecture of a "good firewall" would be some kind of layer-7
processor that did application protocol correctness verification and
minimization, as well as come content analysis and filtering. Of
course
it'd have to do it extremely fast, or nobody'd want it. Which is
why it
doesn't exist. To get that much layer-7 processing done at high speeds
you'd need silicon, and since silicon isn't particularly mutable
(not the
fast kind, anyhow) you'd be constantly bumping against application
incompatibilities and that wouldn't sit well.

I guess what I'm saying is "hardly anyone actually WANTS a good
firewall."

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: Cyber Monday
    ... Proxies come and go at such a huge rate, ... And a properly configured firewall solution does not need a "Filtering ... We do this with managers in most companies, ... Calling an illegal alien an "undocumented worker" is like calling a ...
    (comp.security.firewalls)
  • Re: Blocking facebook and myspace
    ... proxies) but for facebook i can't figure that one out. ... With a proper firewall you can allow one group of computers to have XYZ ... Reservations) and apply rule xyz to them, then all others would get abc ... Calling an illegal alien an "undocumented worker" is like calling a ...
    (microsoft.public.windows.server.sbs)
  • Re: Kernel panic with PF
    ... I am deploying FreeBSD based application proxies' based firewall ... panics of RELENG_6_1 under load. ... I've got two machines in a carp cluster and the transparent proxies use ... The machines are SMP and were running SMP kernel. ...
    (freebsd-stable)
  • Re: Kernel panic with PF
    ... I am deploying FreeBSD based application proxies' based firewall ... I've got two machines in a carp cluster and the transparent proxies use ... The machines are SMP and were running SMP kernel. ... page fault while in kernel mode ...
    (freebsd-stable)
  • Re: [fw-wiz] Application Intelligent vs ALG
    ... Firewall Architectures. ... Senior Security Engineer ... Check Point's marketing says proxies are ... But none of the three folks from CP replied to me. ...
    (Firewall-Wizards)