Re: [fw-wiz] How automate firewall tests

nquneH,

On Mon, Aug 21, 2006 at 09:15:42AM -0400, Paul D. Robertson wrote:
On Mon, 21 Aug 2006, Tim Shea wrote:

And you can equally argue that proxies were never good to begin
with. Really - the majority of applications out there have no real

I've got clients who at least have some benefit from running HTTP through
a proxy and stopping various MIME types. It's not perfect by any stretch
of the imagination, but it stops a fair volume of malware/spyware daily.

.and if you strip scripts from untrusted sites, you get rid of most of
malicious XSS and browser attacks, add XML policy filter (properly configured)
and.. you still have tons of ugly uncontrolled stuff but things look not
*that* bad already.

I wonder why there is no opensource XML filter engine. Looks like we
have to develop that one.


layer 7 level proxy so you have to tackle the problem from other
directions. And the off the shell proxies (smtp, dns, http, etc)
don't offer much value since these applications have been tested to

With a proxy, DNS doesn't go down to the client- that's a huge win in the
anti-tunnel arena. Where I have clients who do MS Exchange internally,
the SMTP proxy keeps them from spewing SMTP from an infected client as
well...

death or the application isn't anymore "protected". What is the
point of recommending a solution that doesn't exist? I am a fan of
proxies but the reality is the firewall - whether it be proxy or
other - is only a small part of the equation.


A chance to arbitrate the conversation isn't necessarily a bad thing-
especially if you can't control the end nodes.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
http://fora.compuwar.net Infosec discussion boards
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: [fw-wiz] How automate firewall tests
    ... Really - the majority of applications out there have no real ... I've got clients who at least have some benefit from running HTTP through ... And the off the shell proxies (smtp, dns, http, etc) ... With a proxy, DNS doesn't go down to the client- that's a huge win in the ...
    (Firewall-Wizards)
  • Re: ISA Server Problems, please help
    ... Based on the rules you have listed, SecureNAT clients should only be allowed ... The All access rule for SBS Internet Users ... Web Proxy and/or Firewall Client ... > header to the publishing server instead of the actual one. ...
    (microsoft.public.windows.server.sbs)
  • Re: The Economics of Incompetence
    ... I use my clients as references, ... show applications that I developed, which gives a sense of what I ... it was suggested I let the user key up to 5 invoice numbers. ... a character is an uppercase A-Z -- I'd do that by checking the ascii ...
    (microsoft.public.dotnet.general)
  • Re: Writing portable applications (Was: Jargons of Info Tech industry)
    ... platforms that STILL don't have a browser that would work with most ... They all have NNTP, SMTP and POP clients. ... > applications provide more portability - which is important for some ... >> Unix wars, before POSIX. ...
    (comp.unix.programmer)
  • Re: ISA 2004 Web Proxy Clients
    ... Do I need to create WPAD cname record in DNS in concert with WPAD entries in ... Is it possible to propagate web proxy information to clients using WPAD ... proxy clients dont get proxy server address in LAN settings of IE.Another ...
    (microsoft.public.isa.clients)