Firewall Wizards mailing list archives
Re: encapsulated protocols?
From: Aleph One <aleph1 () dfw dfw net>
Date: Thu, 5 Feb 1998 10:45:11 -0600 (CST)
On Thu, 5 Feb 1998, Adam Shostack wrote:
No, I conclude that *for the mass market* packet filters will win because 1. They're faster 2. The benefit of a proxy is hard to understand 3. Exploits are easier to write than proxies, and there are better exploit cookbooks, and there are more people writing exploits than proxies. (N+1. They're less secure, and less secure almost always wins.)
Sorry for misunderstanding your last post. Then again this is saying for the mass market McDonals will win over any good restorant. The general public always has a tendency to go for the common lowest denominator. So I agree with your point.
Another reason I'm less and less fond of firewalls beyond packet filters is that it concetrates your security efforts at what I've come to believe is the wrong place. A packet filter is useful because it allows you to conenect to the internet without exposing your intranet. A proxy is useful for the same reason, but it offers enhanced defense for the machines behind it. This, in practice, leads companies to fail to properly secure the machines behind it. This means that those machines are not secure against attack by employees, temps, contractors, employees of your business partners, etc. As the extranet marketecure continues to win executive support without proper consideration being given to security, this becomes more an more dangerous. Thus, I see a value in assessment tools that offer the ability to rapidly check machines for vulnerabilities.
While you are correct this does not decrease the usefulness of the proxy. Comming from a company with over 1500 hundred workstations and NT PC's which we do not control a proxy is the only thing protecting them from the real world. It would be almost impossible in term of resources and politics to secure them all even with the best reports generated by a assessment tool.
Should != Do.
Indeed.
I'll note that one of Netect's advantages is a push based update mechanism that will allow us to update our customers very quickly. (This update mechanism is where we'll be partering with PGP/NAI--every copy of Netective includes pgp to verify the updates as they come in, and an install-update program to process them in a secure and paranoid fashion. That program is shipped crystal box.)
While I think everyone has tought of similar systems before (I know I have) Netect becomes a single point of failure. I rather get updates via email and approve them offline. The extra time taken is probably insignificant. Then again I might not have the technical know how to audit the update but this is better that realtime updates for the same reason that reactive firewalls are a bad idea.
Proxies take longer to develop than exploits. When a problem is found, its easier to develop a test for the problem, and ship that with pointers to vendor patches than it is to develop a new proxy and ship that. Both approaches are useful. The proxy mechanism was developed because it was easier to do than quickly updating all of your machines. I expect that a hybrid approach, based on packet filters, fast vulnerability assessment, intrusion detection, and maybe other things like strong encryption, the abandonment of application programming in C, (and other fixed length string langagues) will provide the security of the future.
You are assuming that you need to first see the exploit to develop the proxy. This is certainly not the case most of the time. Just like you pointed out a more strict HTTP proxy could have stopped streaming over HTTP without knowning the subprotocol. But your conclusion is correct: layers, layers and more layers.
Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: encapsulated protocols?, (continued)
- Re: encapsulated protocols? Mark Horn [ Net Ops ] (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 07)
- IPsec and firewalls Aleph One (Feb 07)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Aleph One (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Adam Shostack (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Effect of full disk on logging under FW-1 v 2.1? Bret Watson (Feb 09)
- Re: IPsec and firewalls Ted Doty (Feb 09)
- Re: encapsulated protocols? Aleph One (Feb 07)
- Re: encapsulated protocols? Adam Shostack (Feb 07)
- Re: encapsulated protocols? Larry J. Hughes Jr. (Feb 09)
- Re: encapsulated protocols? Jeromie Jackson (Feb 07)
- Re: encapsulated protocols? Marcus J. Ranum (Feb 09)