Re: encapsulated protocols?

[Aleph One <aleph1 () dfw dfw net>]

On Wed, 4 Feb 1998, Adam Shostack wrote:

>       To recap: I think packet filters are the wave of the mass
> market future, because proxies do not offer enough speed for the
> (hard to understand) security wins that they offer.  I think there
> will be a variety of tools and applications to help you secure the
> machines behind your packet filters.  Those tools and applications
> will be a lot more useful where there are security features to build
> on.  Securing Win31-98 will remain a huge pain in our craw for a long
> time.

You conclude that proxies are not cost effective because they do no 
understand the tunneling done over HTTP by certain protocols. 

Following your line of thought applications such as Secure Networks
Ballista, ISS's Internet Security Scanner and even Netect's product are
useless as well since they can't defend you agains new or unknown
vulnerabilities they do not yet test for.

The problem is that you view your firewall as a static component that does
not change. Network security scanners like the ones you mentions have come
with a subscription to updates that include new vulnerabilities as they
are found. In a similar way, firewall should include a subscription to
updates that would include new protocols and encapsulated protocols as the
firewall vendor implementes them.

In this case you firewall vendor should send you an updated that deal with
VXTreme (RealAudio, etc) streaming over HTTP.

> Adam

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01