Re: Firewalls and Cryptography

VB,

Excuse the top posting but I'll respond after each of your comments:


Your statement was that a firewall cannot protect against viruses. They
can.

Seems to be a problem of definitions.

Yes it is and I took your comment at face value and as a stand-alone comment
but you obviously were thinking a few miles ahead.

A Virus Scanner is something, that detects malware in streams or in
persistent data ("detecting negative things"). I'm not using virus
scanners, which search RAM, because I think they're useless.

A Gateway AV solution is an on-the-fly solution so while the packet(s) are
being inspected, it's typically at wire speed on the bigger/better
appliances. Whether they're using a high-speed shift register or buffering
it in RAM, I don't know but supposedly, the "time hit" is only slightly
greater than a firewall only device. Manufacturer dependent. So, the AV is
not searching through RAM in this architecture.

A Firewall is a filtering entity on a way of network traffic, which
filters away any traffic, which is not conforming to a security policy
(where I define "allowed traffic", not "forbidden traffic", so this is
"detecting positive things and filtering away anything else" in network
traffic). These are the terms I'm working with commonly.

Understand.

You can say, that a Virus Scanner can be a special case of firewall on
layer 7 according to RFC 2979, if it filters away data with malware.

You can say, that a Firewall can be a special case of a virus scanner,
according to RFC 2979, if it filters on layer 7 and removes mails and
transmitted files with malware.

I would not prefer to define in such a way, because this mixes terms. I'd
prefer to define, that if a firewall implementation filters that
way, it additionally has a virus scanner component (as I did).
Clear now?

Almost.....;-)

Your reference to RFC2979 made me go looking and digging a bit and I can't
see where this version http://rfc.net/rfc2979.html dated Oct 2000 allows
for those two statements - not even in the broadest sense. RFC's do change
and I may not have found the latest version.

You make a valid point about not wanting to group the two terms together
from a purists viewpoint but the industry has already done so and they call
it, UTM (Unfified Threat Management). Every company seems to have a
different slant on what that means but for now - it's hype that has some
legitimacy and I have no doubt it will eventually be rolled into the
firewall definition. Right now, the "application" references in RFC2979 are
for applications that transverse a firewall. A Gateway AV solution does not
traverse the firewall but is a secondary function - after the firewall.

snip.....

I cannot see anything working with the exception of predefined patterns¹.
All heuristics I know have so many false positives and so less hits, that
I would call them useless in practice.

It's obvious you do not care for antivirus solutions and I chuckled when I
read this statement in RFC2979. It pretty well sums up the defintion of a
firewall:

Quoted from RFC2979.....in part....

"Nevertheless, it is important to remember that the only perfectly secure
network is one that doesn't allow any data through at all and that the only
problem with such a network is that it is unusable."

So where does that leave us? Right smack in the middle of choosing the
lesser of the evils. But in this case - and the reason I jumped in on this
thread was to point out that there is technology out there at a price point
that is reasonable and provides a modicum of security via a UTM approach for
small business, SOHO applications.

Is it good enough for the IBM's, GE's, AMEX type company's - absolutely not
since they are big targets. But for a small business, yes, it's a
reasonable and efficient solution. Not perfect by a long shot but what esle
would you recommend?


Bob S.



.

Relevant Pages

  • Re: Linksys Firmware Upgrade Available
    ... First I will say that I have no experience with WinRoute. ... filtering -vs- personal firewall applications. ... Basic packet filters work by inspecting the pkt headers (usually the IP ...
    (comp.security.firewalls)
  • Re: Linksys Firmware Upgrade Available
    ... First I will say that I have no experience with WinRoute. ... filtering -vs- personal firewall applications. ... Basic packet filters work by inspecting the pkt headers (usually the IP ...
    (comp.security.firewalls)
  • RE: IPsec vs any personal software firewall
    ... This prevents the source port 88 issue. ... It is possible to bypass the filters and contact a service listening on UDP. ... Should you use it if you have a firewall running externally of the machine? ... IPSec filters are not a replacement for a firewall. ...
    (Focus-Microsoft)
  • Re: Basic Firewall IP filters
    ... Javier [SBS MVP] ... "Where do you adjust the firewall for SBS" <Where do you adjust the firewall ... >> Routing and Remote Access supports IP packet filtering, ... Pass through all traffic except packets prohibited by filters. ...
    (microsoft.public.windows.server.sbs)
  • NETWORK BROWSE
    ... I am using windows xp pro sp1 and for some reason cannot browse the entire ... network and cannot access a public shared folder from anywhere else. ... LAN connection and firewall is not on here) ...
    (microsoft.public.windowsxp.security_admin)
Loading