Re: [fw-wiz] Firewall rules order and performance



On Wed, Jul 29, 2009 at 10:27 AM, <jdg.ieee@xxxxxxx> wrote:
Selon Eric Gearhart <eric@xxxxxxxxxxxxx>:
On Mon, Jul 27, 2009 at 1:21 AM, Jean-Denis Gorin<jdgorin@xxxxxxxxxxxx>
wrote:
Who remember that firewalls (as application gateways) was designed to solve
(or to ease a lot) the patch management problem?
Now, we are back to patch management as the solution for all problems
because dumb people (managers, marketers, buyers, system admins, network
admins, developers, or whatever fit your situation) are unable (or
unwilling) to understand what is a firewall, and what is it due for...

Part of the problem with your argument is that in order for e,g, a web
server to be reached, port 80 (and maybe port 443) have to be allowed
through the firewall. That fact alone means that the webservers have
to be patched, because as long as the firewall is allowing legitimate
traffic through, it could also be allowing malicious traffic
through...

The problem with your argument is that you don't know what is a firewall... ;)
(no offense intended)

A firewall IS NOT a layer 3 filter (yes, I know that most of the marketing folks
told you that a "stateful packet inspection" thing is a firewall, but that's
WRONG in a lot of different ways...).
A firewall is layer 7 proxy (also known as application gateway). So, you don't
need to patch your application, nor the underlying OS because they are
completely concealed from the outside.

http://en.wikipedia.org/wiki/Firewall#First_generation_-_packet_filters
(I know, I know, don't cite WP... but it looks reasonably accurate)
makes it sound like the term started with "packet filter," then
evolved to stateful packet inspection, then the third generation of
the term evolved into your definition...

Isn't something that's actively looking at application traffic more of
an application-level IPS, such as OSSEC or something along those
lines?

I will sheepishly admit that the original post included the term
"application gateway" specifically though... well played

--
Eric
http://nixwizard.net
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: [fw-wiz] Firewall rules order and performance
    ... we are back to patch management as the solution for all problems because ... dumb people (managers, marketers, buyers, system admins, network admins, ... understand what is a firewall, and what is it due for... ... port 80 have to be allowed ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Firewall rules order and performance
    ... good firewall has a DNS proxy and denies malformed packets, ... set to filter out 'nsupdate' type packets. ... we are back to patch management as the solution for all problems ... understand what is a firewall, and what is it due for... ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Firewall rules order and performance
    ... Only if your "firewall" is a lowly stateful inspection packet filter, ... we are back to patch management as the solution for all problems ...
    (Firewall-Wizards)
  • Re: Another Secure FTP thread -- Protection Levels
    ... gateway or proxy system to act as an FTP relay ... firewall) to the remote system. ... He would need to establish his FTP ... connections from the gateway to the remote system while blocking FTP ...
    (comp.protocols.kermit.misc)
  • Re: Another Secure FTP thread -- Protection Levels
    ... through your firewall that is not authorized. ... FTP either restrict what commands can be sent or logging each command ... gateway or proxy system to act as an FTP relay ... between his system and the remote system. ...
    (comp.protocols.kermit.misc)