Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary Shift



Sorry to rez this thread but I am curious.

david@xxxxxxx wrote:

> what you need to be able to do is to enforce valid HTTP,

This would indeed be a positive step but:

What is "valid HTTP"?
Who defines it (not being naive here but it does not seem that W3C is the answer when tens of millions of browsers will do HTTP according to what the vendor releases, which becomes de facto "valid").

Who asserts/certifies that client and server software comply with it?

and work to detect the common ways of tunneling other things across it.

I don't quite know how to interpret "common ways of tunneling". Tunneling apps in HTTP seriously broken. The logic behind an application developer reaching the conclusion that the best way to assure that his application port is not blocked by a firewall egress traffic policy is to employ firewall evasion techniques is way broken. That this "clever workaround" became common practice not only for HTTP, but that certain apps go so far as to port probe for any open outbound path is even more broken.

Yes, this is common, but frankly, common sucks. What makes it "beyond sucking" is that common has become *accepted*. begin:vcard
fn:David Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave@xxxxxxxxxxx
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: Port 80 forwarding to internal IP
    ... this is absolutely NOT common on a SBS. ... "Tony Su" schreef in bericht ... > You do this through Server Publishing rules, ... > supports two types which support http... ...
    (microsoft.public.windows.server.sbs)
  • Re: activesync and exchange http
    ... Http users experience slow performance. ... On the SBS 2003 Server open the Server Management console. ... For the configuration of Cisco firewall, since that's third party product, ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Blocking Access to web-based email
    ... the way I do it is with one Firewall appliance and different HTTP ... you setup DHCP with reservations for their MAC and their IP is ... But you don't want the NAT device assigning the IP, ...
    (comp.security.firewalls)
  • Re: ISA 2000 Firewall Log
    ... > application requires internet access for whatever reason on a port other ... The firewall log entries appears because the traffic from the snat clients ... rejected by HTTP redirector filter should appear in firewall logs and how do ... MS ISA Server 2000 Firewall and Web Proxy log fields: ...
    (microsoft.public.isa)
  • Re: H.D. content visible on web
    ... > And this seems to be happening even with AV and software firewall on ... > come to my Website. ... You sent an HTTP request and received ...
    (comp.security.firewalls)