Firewall Wizards mailing list archives
Re: encapsulated protocols?
From: Aleph One <aleph1 () dfw dfw net>
Date: Wed, 4 Feb 1998 15:02:22 -0600 (CST)
On Wed, 4 Feb 1998, Adam Shostack wrote:
To recap: I think packet filters are the wave of the mass market future, because proxies do not offer enough speed for the (hard to understand) security wins that they offer. I think there will be a variety of tools and applications to help you secure the machines behind your packet filters. Those tools and applications will be a lot more useful where there are security features to build on. Securing Win31-98 will remain a huge pain in our craw for a long time.
You conclude that proxies are not cost effective because they do no understand the tunneling done over HTTP by certain protocols. Following your line of thought applications such as Secure Networks Ballista, ISS's Internet Security Scanner and even Netect's product are useless as well since they can't defend you agains new or unknown vulnerabilities they do not yet test for. The problem is that you view your firewall as a static component that does not change. Network security scanners like the ones you mentions have come with a subscription to updates that include new vulnerabilities as they are found. In a similar way, firewall should include a subscription to updates that would include new protocols and encapsulated protocols as the firewall vendor implementes them. In this case you firewall vendor should send you an updated that deal with VXTreme (RealAudio, etc) streaming over HTTP.
Adam
Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- encapsulated protocols? Mark Horn [ Net Ops ] (Feb 03)
- Re: encapsulated protocols? Adam Shostack (Feb 04)
- Re: encapsulated protocols? Aleph One (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 06)
- Re: encapsulated protocols? Mark Horn [ Net Ops ] (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 07)
- IPsec and firewalls Aleph One (Feb 07)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Aleph One (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Adam Shostack (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Re: encapsulated protocols? Aleph One (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 04)
- Effect of full disk on logging under FW-1 v 2.1? Bret Watson (Feb 09)