Re: [fw-wiz] Firewalls that generate new packets..

On Fri, 23 Nov 2007, Dave Piscitello wrote:

Not certain what you mean when you limit the discussion to
Internet-enabled software vendors but I am pretty certain that everyone
who runs an SSL VPN is running a proxy of some sort.

I didn't say "Internet-enabled software vendors" because I meant
"applications that at some point in their life, but after their initial
design were given grafted-on Intenret-based functionality."

Specifically, in the last couple of years I've dealt with ERP/CRM,
Shipping and Financial Services (Payroll) vendors who've all been
unpleasantly surprised when software they've had fielded for anywhere from
six months to six years doesn't work when presented with an HTTP proxy
_even though there are provisions in their applicaiton code for setting
up a proxy_.

In every case, whatever brain damaged code was used to invoke proxy
support ended up doing direct DNS lookups and trying to connect directly
to the vendor's systems- and it took lots of packet traces to "prove"
their software didn't work as advertised (and in every case there was the
immediate request to "remove the firewall" or "open ports" to be met with
"the network isn't architected that way and won't be modified thusly.")

In the case of the ERP/CRM system, the code was "validated" by a third
pary service provider who obviously dropped the ball in whatever "testing"
they did because the proxy code functioned in "test your connectivity"
mode but not in "send your data" mode. It took two days to bypass the
vendor's phone firewall known as "technical support" which was neither
technical nor supportive.

It's pretty clear to me that where there's a proxy/filter choice to be
made, the default is "filter/NAT" enough of the time that vendors are
shocked when their code is questioned because "it works for everybody
else" just fine. Heck, I had one major shipping vendor punt to dial-up
rather than work with a vendor to fix their offering.

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."

firewall-wizards mailing list