Re: [fw-wiz] Proxies, opensource and the general market: what's wrong with us?

On Wed, Apr 27, 2011 at 01:52:48PM -0700, David Lang wrote:

I think there is some room for a HTTP or XML firewall checker to be
implemented and satisfy a lot of needs (technical needs that is, when
management makes a decision that "all firewalls are going to be Cisco"
or even "all firewalls must be commercial appliances" that trumps all
technical issues), but right now I am not aware of any free tools in
these spaces, completely ignoring the 'learning modes' of many of the
commercial offerings.

At the moment I am trying to offload non protocol-related http checks to external
ICAP filters.. For XML, I have some raw prototype, but I do not like the fact it
is based on libxml2 and inherits all potential vulnerabilities (as it is a huge
piece of code) and still there is a lack of automated tool that can be used to
"formalize" "normal" xml flow to check for anomalies later. For several well-documented
protocols it is not needed, but aiming at SOA it is probably a must :-(

openfwtk hasn't hit this yet for me as the key thing that I use FWTK
for is the authenticated proxies and the last I checked it doesn't have
an authsrv equivalent (or the ability for it's proxies to tie in to an
authentication source).

You must be missing something, authsrv is the part that required several fixes, so it
is there for sure, a few years at least and it is really improved much. Multiple groups per user are allowed, authentication
sources may be checked against netperm-table (you may write rules that restrict authentication
to a given proxy, or a given host), unix local socket is supported as transport to avoid writing
complicated "loopback prevention" rules, etc etc.

I am thinking about adding radius and/or pam backends support, but still had no time to implement that.

openfwtk also isn't the complete solution that
Arknoid painted it to be, for many things it just says 'use tool X',
which is a good thing to avoid re-inventing the wheel, but it doesn't
result in the firewall API that he is looking for.

Unfortunately it still is not :-( Lack of resources, that's is. Reimplementing full IMSpector, GreenSQL and privoxy
functionality is not non-trivial, it is just time consuming. Until that you need extra tools.

There is noting wrong in the fact you need other tools that are outside OpenFWTK scope, though, like Prelude, log analyzers,

firewall-wizards mailing list

Relevant Pages

  • Re: Can u recommend a firewall for XP
    ... USE SP2's firewall and abandon 3rd party firewalls. ... >>checker and I say in addition to use a good adware ... >>Good virus checkers and adware checkers do NOT so assume ...
  • Re: Can u recommend a firewall for XP
    ... >checker and I say in addition to use a good adware ... >And that is what a firewall is FOR! ... >Good virus checkers and adware checkers do NOT so assume ...
  • Re: Open Ports-FW settins
    ... "Introduction to Linux - A Hands on Guide" by Garrels ... I have been looking for something like the 'firewall and virus ... checker' approach of windows, but this only seems to exist for servers. ...
  • Re: Can u recommend a firewall for XP
    ... >> with a good virus checker and spyware checker. ... And that is what a firewall is FOR! ... And that is the job of the virus checker and adware checker! ...
  • Re: Outlook using RPC over HTTPS does not authenticate using the Kerberos Realm
    ... Used Outlook in Safe Mode, ... For testing, client and server are on the same network, so no proxy server. ... Please first select "Integrated Windows Authentication" on the PRC virtual ... Disable firewall or antivirus on PC, ...