Re: encapsulated protocols?

[Aleph One <aleph1 () dfw dfw net>]

On Thu, 5 Feb 1998, Adam Shostack wrote:

>       No, I conclude that *for the mass market* packet filters will
> win because
>
> 1. They're faster
> 2. The benefit of a proxy is hard to understand
> 3. Exploits are easier to write than proxies, and there are better
> exploit cookbooks, and there are more people writing exploits than
> proxies.
>
> (N+1. They're less secure, and less secure almost always wins.)

Sorry for misunderstanding your last post. Then again this is saying for
the mass market McDonals will win over any good restorant. The general
public always has a tendency to go for the common lowest denominator. So I
agree with your point.

>       Another reason I'm less and less fond of firewalls beyond
> packet filters is that it concetrates your security efforts at what
> I've come to believe is the wrong place.  A packet filter is useful
> because it allows you to conenect to the internet without exposing
> your intranet.  A proxy is useful for the same reason, but it offers
> enhanced defense for the machines behind it.  This, in practice, leads
> companies to fail to properly secure the machines behind it.  This
> means that those machines are not secure against attack by employees,
> temps, contractors, employees of your business partners, etc.  As the
> extranet marketecure continues to win executive support without proper
> consideration being given to security, this becomes more an more
> dangerous.  Thus, I see a value in assessment tools that offer the
> ability to rapidly check machines for vulnerabilities.

While you are correct this does not decrease the usefulness of the proxy.
Comming from a company with over 1500 hundred workstations and NT PC's
which we do not control a proxy is the only thing protecting them from the
real world. It would be almost impossible in term of resources and
politics to secure them all even with the best reports generated by a
assessment tool.

>       Should != Do.

Indeed.

>       I'll note that one of Netect's advantages is a push based
> update mechanism that will allow us to update our customers very
> quickly.  (This update mechanism is where we'll be partering with
> PGP/NAI--every copy of Netective includes pgp to verify the updates as
> they come in, and an install-update program to process them
> in a secure and paranoid fashion.  That program is shipped crystal
> box.)

While I think everyone has tought of similar systems before (I know I
have) Netect becomes a single point of failure. I rather get updates via
email and approve them offline. The extra time taken is probably
insignificant. Then again I might not have the technical know how to
audit the update but this is better that realtime updates for the same
reason that reactive firewalls are a bad idea.

>       Proxies take longer to develop than exploits.  When a problem
> is found, its easier to develop a test for the problem, and ship that
> with pointers to vendor patches than it is to develop a new proxy and
> ship that.  Both approaches are useful.  The proxy mechanism was
> developed because it was easier to do than quickly updating all of
> your machines.  I expect that a hybrid approach, based on packet
> filters, fast vulnerability assessment, intrusion detection, and maybe
> other things like strong encryption, the abandonment of application
> programming in C, (and other fixed length string langagues) will
> provide the security of the future.

You are assuming that you need to first see the exploit to develop the
proxy. This is certainly not the case most of the time. Just like you
pointed out a more strict HTTP proxy could have stopped streaming over
HTTP without knowning the subprotocol. But your conclusion is correct:
layers, layers and more layers.

> Adam
>
> -- 
> "It is seldom that liberty of any kind is lost all at once."
>                                                      -Hume

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01