Re: firewalls and the incoming traffic problem

[Aleph One <aleph1 () dfw net>]

On Sun, 28 Sep 1997, Marcus J. Ranum wrote:

>       - Firewalls are good at providing access control
>       on return traffic that is in response to a request
>       that originated behind the firewall

I am not sure you can make this claim. The fact is that a firewall will
never be able to protect you from implementation errors. It does not
matter if the implementation is a client or server. Take for example
web browsers. The firewall may be configure to filter Java and Javascript
from incomming HTML, but what about that little known feature of Embedded
Browser 3.4 that came with your free copy of LameSuite 3.2 that lets
anyone do <MYOWNLAMESCRIPTINGLANGUAGE EXEC="c:\windows\format">? Or what
about users of the some scriptable IRC client with the latest scripts with
backdoors?

  So yes you are correct that firewalls force you to split your security
between the firewalls and host security on all systems. But it is naive to
think it hasnt always been this way. Until someone starts to develop a
firewall based on some AI techniques they are no more than a static filter
for a dynamicly changing enviroment.

> mjr.
> -----
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> <A HREF=http://www.clark.net/pub/mjr>Personal</A>
> <A HREF=http://www.nfr.net>Work</A>
> <A HREF=http://www.clark.net/pub/mjr/websec>New Book!!</A>

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01