Re: [fw-wiz] Firewalls that generate new packets..
- From: "Marcus J. Ranum" <mjr@xxxxxxxxx>
- Date: Fri, 30 Nov 2007 00:27:53 -0500
Timothy Shea wrote:
I would add to your comments that
an outgoing proxy (such as squid or bluecoat) allows you to eliminate
the dreaded "completely open outbound default" rule found on many
corporate firewalls and allows a higher degree of auditing.
You raise a really interesting point - and the next big problem.
Namely, that's going to be malcode that tunnels over SSL. It's
already a problem, but it's still at the "tip of the iceberg" stage.
I like asking my clients what they have in place to deal with
that when it comes. By the way, I don't think that border
decryptor/MITM proxies are the answer; they'll get DDOS'd
by malcode traffic from within if the floodgates open the
way I expect them to. The right answer would be to white-list
sites that are business critical for SSL and deny all the
rest. I predict a long period of denial, thrashing, hand-wringing,
duct-tape, and band-aids before reality sets in. Although
with the new high-speed silicon-based band-aids the race
will be neck and neck for a while.
#include <obligatory/itoldyouso.h>
mjr.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- References:
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Darden, Patrick S.
- Re: [fw-wiz] Firewalls that generate new packets..
- From: Timothy Shea
- Re: [fw-wiz] Firewalls that generate new packets..
- Prev by Date: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary Shift
- Next by Date: Re: [fw-wiz] Firewalls that generate new packets..
- Previous by thread: Re: [fw-wiz] Firewalls that generate new packets..
- Next by thread: Re: [fw-wiz] Firewalls that generate new packets..
- Index(es):
