Re: [fw-wiz] How automate firewall tests

Tim Shea wrote:
And you can equally argue that proxies were never good to begin
with. Really - the majority of applications out there have no real
layer 7 level proxy so you have to tackle the problem from other
directions.

That's exactly what I mean. It goes deeper than that, really. Most
applications out there today have no layer 7 *specification* -- never
mind a proxy. They're simply a bunch of poorly-understood stuff
going back and forth on a connection. Nobody can filter it for
correctness because nobody even knows what correctness
*means* in that case. Or, you get protocols like the VOIP suite,
which are an amalgamation of poorly-designed and over-designed
standards and features; there's no sensible way to go through
and apply protocol minimization because there's no real
protocol, just a feature set driven by a bunch of commands
that are executed in an arbitrary order.

Insecurity is a problem of complexity and trust. We can't fix
trust with technology, and the complexity of current applications
software has completely escaped our grasp. Until such a time
when app protocols are well-designed and specified (ain't gonna
happen!) we're not going to have meaningful progress in security,
we'll just have the "band aid of the month club." For the record,
I never felt firewalls were a solution to the problem (proxy or
otherwise) they're simply a centralizable band aid. The reason
that packet-oriented firewalls suck is because they're locked
into the permit/deny-packet model and that means it's impossible
to do protocol minimization. I don't think anyone does that any
more, anyhow, so it's largely a moot point.

On the other hand, the customers of the "computer security
industry" are spending about $1 billion annually on all the
computer security "solutions" yet the sitation is getting worse.
What does that tell you? It tells me the "conventional
wisdom" isn't.

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • Re: linux robust?can build application layer firewall on linux?
    ... Hmm, I also thought about squid proxy, email and news ... leafnode running on the firewall ... protocol and correct target ports. ... > They are not applications. ...
    (comp.os.linux.networking)
  • Advice on writing an instant messaging proxy
    ... the next time the user connects to the proxy. ... disconnection to the AIM (or whatever other chat protocol) server, ... client to server as if client was always connected, ...
    (comp.programming)
  • Advice on writing an instant messaging proxy
    ... the next time the user connects to the proxy. ... disconnection to the AIM (or whatever other chat protocol) server, ... client to server as if client was always connected, ...
    (comp.unix.programmer)
  • RE: [Full-Disclosure] Sidewinder G2 Thanks and a question or two
    ... >>the HTTP proxy a generic proxy in function. ... >>violation style attacks weren't blocked at all. ... DNS, SQL*Net proxies for protocol violations, overlly long headers ... There are, of course, limitations in the proxies and won't stop all attacks, ...
    (Full-Disclosure)
  • Re: preventing users from installing unauthorized softwares
    ... If all clients have their browser configured to use the proxy ... Other applications that require a direct connection ... > policy having no unauthorrized softwares on machines. ... If you were using Windows Server 2003 with Windows XP clients you could ...
    (microsoft.public.win2000.security)