Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary Shift

----- Original Message ----
From: Kristian Erik Hermansen <kristian.hermansen@xxxxxxxxx>
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
Sent: Friday, November 30, 2007 6:31:33 AM
Subject: Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary Shift

On Nov 30, 2007 8:12 AM, George Capehart wrote:
Some light reading for the weekend . . . Thought it'd stir the pot a
bit more for the "Firewalls that generate new packets . . ." thread. ;>

http://www.darkreading.com/document.asp?doc_id=140121&f_src=drweekly

You're talking about a layer7 firewall. I almost worked for Palo Alto
networks. They have some bright guys over there, mainly founders of
Netscreen. They have great VC backing from the big guys, and it could
become more mainstream, but it's not really anything new. Standard
layer3/4 firewalling is insufficient these days, but as soon as you
start tunneling data over ssh/ssl, then layer7 fw doesn't matter
anyways. However, it will be interesting to see just how many bugs
are introduced into these new devices. There is no way a company
could implement all the common protocols properly, because even some
vendors don't know how they work :-)

I agree, perimeter firewall isn't the answer for everything since the 'wall' can only be built so high, plus it can't read inside tunnels as you said. The firewall has to be between the O.S. and the untrusted code, since the entry points are:

1. File System [file system filters]
2. Registy [file system filters]
3. Network (also internal network and local network services) [TDI filters]
4. COM services
5. User Shell [global hooks, keyloggers]
6. System Calls [protected storage, etc]
7. Misc. other holes that access the O.S.

Good luck in getting perimeter firewalls to filter any of the above.

GreenBorder did this, and the company (mostly our development team and code) was bought by Google. Checkpoint then started experimenting with 'ForceField' (http://download.zonealarm.com/bin/free/beta/forcefield/index.html).

Bill Stout
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • RE: can ping but not browse
    ... I have stopped the firewall. ... # are safed from all (security) hazards. ... firewall/bastion host to the internet ... # internet and to an internal network, ...
    (Fedora)
  • Re: Why not use NETBEUI on Windows XP ??
    ... Trusted zones means that firewall rules will be bypassed for any or certain ... not count on netbeui being a defense for such as long as smb connectivity ... while the connection is open. ... > Microsoft Networking components on my network. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Why not use NETBEUI on Windows XP ??
    ... Trusted zones means that firewall rules will be bypassed for any or certain ... not count on netbeui being a defense for such as long as smb connectivity ... while the connection is open. ... > Microsoft Networking components on my network. ...
    (microsoft.public.win2000.networking)
  • Re: Firewall for broadband connection
    ... A personal firewall application that runs on your computer will often be ... it clearly needs user intervention to apply updates. ... IP address, then VNC is a simple way to do ... I install VNC, even in a protected network, I always change the port ...
    (comp.security.firewalls)
  • RE: Hidden Ports
    ... this is done by the firewalls to prevent authenticated files from being replaced by trojans and connecting to the internet. ... kerio firewall ... or a program that already had network access attempted to ... > Depending on the Access setting for a component, ZoneAlarm Pro ...
    (Security-Basics)