Re: [fw-wiz] Dark Reading: Firewalls Ready for Evolutionary Shift



Sorry to rez this thread but I am curious.

david@xxxxxxx wrote:

> what you need to be able to do is to enforce valid HTTP,

This would indeed be a positive step but:

What is "valid HTTP"?
Who defines it (not being naive here but it does not seem that W3C is the answer when tens of millions of browsers will do HTTP according to what the vendor releases, which becomes de facto "valid").

Who asserts/certifies that client and server software comply with it?

and work to detect the common ways of tunneling other things across it.

I don't quite know how to interpret "common ways of tunneling". Tunneling apps in HTTP seriously broken. The logic behind an application developer reaching the conclusion that the best way to assure that his application port is not blocked by a firewall egress traffic policy is to employ firewall evasion techniques is way broken. That this "clever workaround" became common practice not only for HTTP, but that certain apps go so far as to port probe for any open outbound path is even more broken.

Yes, this is common, but frankly, common sucks. What makes it "beyond sucking" is that common has become *accepted*. begin:vcard
fn:David Piscitello
n:Piscitello;David
adr;dom:;;3 Myrtle Bank Lane;Hilton Head;SC;29926
email;internet:dave@xxxxxxxxxxx
x-mozilla-html:FALSE
url:http://hhi.corecom.com/weblogindex.htm
version:2.1
end:vcard

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards