Firewall Wizards mailing list archives
Re: firewalls and the incoming traffic problem
From: Darren Reed <darrenr () cyber com au>
Date: Mon, 29 Sep 1997 12:06:50 +1000 (EST)
In some mail I received from Marcus J. Ranum, sie wrote [...]
- Firewalls are poor at providing access control
on "unsolicited" incoming traffic to generic
services that are "required" as part of being on
the Internet
Hmmm, you didn't mention that they're poor for providing access control on WWW surfingso I assume you're okay with this ;) You might want to add that they're good for political status inside some companies - the only ones to have access approved are those closest to the relevant managers.
- The number of generic services is increasing
slowly
- The number of implementations of the generic
services is increasing dramatically
Hmmm, I'm not sure either of these has a direct impact except in terms of the complexity of the firewall. Where before you only need to worry about (say) IP over email, now you need to worry about IP over HTTP and others. Curiously, although the number of generic services are increasing, it is the same sort of problem, in each case, which the firewall must deal with and nearly all of these are related to `rich content'. It would seem that the "ultimate" firewall is one in which you can safely and accurately emulate the backend handling of some data, observe what happens as a result of that handling and then decide what to do with it. I don't know how useful that is for _all_ services that people want to push through firewalls, but it does handle those not so easily addressed (in security terms) by packet filtering. In the mail example you gave, there would be some sort of simulation for handling mail to unix system (and thus correct handling of /bin/sh) as well as emulating NT (the C:\autoexec.bat example). If I've defined my mail delivery emulation such that it should only expect data to be saved to a certain file but in delivery a program is run, an exception flag would be raised and the mail dropped. Hmmmm, anyone want to write a firewall in java ? ;) However, I think this i just a nice dream for a lot of us as it'd be immensely complex to configure and keep upto date - never mind program! Darren
Current thread:
- firewalls and the incoming traffic problem Marcus J. Ranum (Sep 28)
- Re: firewalls and the incoming traffic problem Paul D. Robertson (Sep 28)
- Re: firewalls and the incoming traffic problem Jyri Kaljundi (Sep 29)
- Re: firewalls and the incoming traffic problem Aleph One (Sep 28)
- Re: firewalls and the incoming traffic problem neil d. quiogue (Sep 29)
- Re: firewalls and the incoming traffic problem Aleph One (Sep 30)
- Re: firewalls and the incoming traffic problem neil d. quiogue (Sep 29)
- Re: firewalls and the incoming traffic problem Darren Reed (Sep 28)
- Re: firewalls and the incoming traffic problem Bennett Todd (Sep 29)
- Re: firewalls and the incoming traffic problem Leonard Miyata (Sep 30)
- <Possible follow-ups>
- Re: firewalls and the incoming traffic problem Anton J Aylward (Sep 28)
- Firewall administration. Darren Reed (Sep 29)
- Re: Firewall administration. Bennett Todd (Sep 30)
- Firewall administration. Darren Reed (Sep 29)
- RE: firewalls and the incoming traffic problem Itai Dor-on (Sep 28)
- Re: firewalls and the incoming traffic problem Bennett Todd (Sep 29)
- RE: firewalls and the incoming traffic problem Dana Nowell (Sep 29)
- Re: firewalls and the incoming traffic problem Paul D. Robertson (Sep 28)