Re: [fw-wiz] Firewall best practices

Martin Barry wrote:
Marcus, are you referring to DPI or proxies or both or something else

I wasn't referring to anything in specific; I think, though,
that we've moved past the point where we can think of firewalls
as just source/dest IP source/dest port and we need to start
characterizing genres and sub-genres of traffic. There was a
time when Jon Postel said that "Email is the new datagram"
but now "HTTP is the new IP" - we've lost the battle on trying
to have HTTP just be a fetch protocol for data; it's now a
much more complicated thing with genres and sub-genres and
probably sub-sub-genres of traffic. We can't meaningfully
"firewall" traffic if "permit source HTTP ANY" includes
VPNs, bidirectional commands, voice data, and who knows
what else?

We're reaping the rewards of ignoring that problem, in the
form of firewall-busting malware that does all the stuff
that yesterday's "firewall friendly application" used to
do. I guess what I'm saying is that we need application
friendly firewalls to undo the damage from the firewall
friendly applications. :) I think that the vendors'
technology strategies largely show an awareness of the
problem; they mostly have some kind of increasingly
powerful layer-7 processing capability either in the
product, in the works, or on the roadmap. They've got
to, because firewall friendly applications are about
as friendly to the firewall as a bullet to the head.

You're completely right about the "if the application
emulates HTTPS traffic" problem. I don't have an answer
to that one other than "we warned everyone that that
was going to be a problem." At this point, it's less
of technical problem than a social one. It seems to me that
an organization cannot claim to be concerned about
security while allowing user-oriented encrypted outgoing
links to any target. That's just foolishness. The fact
that "everyone does it" doesn't make it any less foolish.
Back in the proxy days we advocated tying outgoing
connections to an authenticated user; that's another
important aspect of the problem that gets short shrift.

Marcus J. Ranum CSO, Tenable Network Security, Inc.
firewall-wizards mailing list

Relevant Pages

  • Re: activesync and exchange http
    ... Http users experience slow performance. ... On the SBS 2003 Server open the Server Management console. ... For the configuration of Cisco firewall, since that's third party product, ... Microsoft CSS Online Newsgroup Support ...
  • Re: Blocking Access to web-based email
    ... the way I do it is with one Firewall appliance and different HTTP ... you setup DHCP with reservations for their MAC and their IP is ... But you don't want the NAT device assigning the IP, ...
  • Re: ISA 2000 Firewall Log
    ... > application requires internet access for whatever reason on a port other ... The firewall log entries appears because the traffic from the snat clients ... rejected by HTTP redirector filter should appear in firewall logs and how do ... MS ISA Server 2000 Firewall and Web Proxy log fields: ...
  • Re: H.D. content visible on web
    ... > And this seems to be happening even with AV and software firewall on ... > come to my Website. ... You sent an HTTP request and received ...
  • Re: VNC client/server combo doing VNC over HTTP
    ... are not putting VNC over HTTP? ... allowed by the corporate firewall are the other half... ... An SSL-Connection works this way: ... so it can´t tell if this is http in the data-stream or something else. ...