Firewall Wizards mailing list archives
RE: Re: Air Gaps vs. Firewalls
From: <rreiner () fscinternet com>
Date: Tue, 3 Oct 2000 17:30:37 -0400
In other words you're trying to restrict the URLs *at the firewall*
to match the anticipated
properties of the web applications being restricted on one side or
the other. Absolutely. That's what the whale device tries to do, and it sounds VERY desirable to me -- principle of least privilege, and all that :-) The individual(s) who write application logic to process a particular URL should NOT also be able to allow that URL to enter the environment (nor should they be able to publish their own application code into the environment, for that matter). Certainly it's tricky; but least-privilege environments are always tricky to work in. If your risk analysis and your CBA tell you it's worth the effort, though, it's nice to have the option, which you don't unless you have this level of granularity in the firewall-or-other-perimeter-defence-device.
You can't expect sysadmins to do this and I'm not sure the application developers could do it, either.
It certainly isn't a good fit for the SME world... elsewhere, it can be worth the effort.
This is a surprise to me. Do web site developers really work with specs that would clearly define the possible values flowing
through
a URL? Is this common anywhere except perhaps the most sophisticated sites?
Well, it's certainly true in some of the environments we work in. But, as above, definitely not in the SME world.
Even if one has such specs, wouldn't it make more sense to use those
specs to
automatically generate range and type checking code at the server end?
No -- least privilege again. Content checking should absolutely not be automatically generated from the code, or from the spec written by the code group.
Another approach that addresses these problems but has not prospered in the marketplace is to run the web server on a host with
some sort
of mandatory access control. We offered such a thing on Sidewinder
for a
while, and HP offers something similar as "Virtual Vault."
Yep. We haven't worked with Sidewinder's version of this, but have seen VVOS up-close-and-uncomfortable. Would have been a nice product if it had worked right. Although I hear they have a new version which rips out a large and troublesome chunk of the product (a third-party product which had previously been integrated, and was absolutely necessary in complex environments) and replaces it with a different product which ought to work better. Richard -- . . Richard Reiner, Ph.D. . FSC Internet Corp. / SecureXpert Labs . The FSC Building, 188 Davenport Rd., . Toronto, Ontario, Canada M5R 1J2 . +1 416 921 4280, Fax +1 416 966 2451 . rreiner () fscinternet com, rreiner () securexpert com . www.fscinternet.com, www.securexpert.com . ============================================ This message may contain confidential and/or proprietary information, and is intended only for the person/entity to whom it was originally addressed. The content of this message may contain private views and opinions which do not constitute a formal disclosure or commitment unless specifically stated. _______________________________________________ Firewall-wizards mailing list Firewall-wizards () nfr net http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- Air Gaps vs. Firewalls Mike Bobbitt (Oct 01)
- Re: Air Gaps vs. Firewalls Mikael Olsson (Oct 01)
- <Possible follow-ups>
- RE: Re: Air Gaps vs. Firewalls rreiner (Oct 03)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- Re: Re: Air Gaps vs. Firewalls Chuck Swiger (Oct 04)
- Log monitoring / alerting Jean Caron (Oct 09)
- RE: Re: Air Gaps vs. Firewalls Ryan Russell (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Frederick M Avolio (Oct 04)
- RE: Re: Air Gaps vs. Firewalls Rick Smith (Oct 04)
- Re: Air Gaps vs. Firewalls Rick Smith at Secure Computing (Oct 14)
- Re: Air Gaps vs. Firewalls Talisker (Oct 20)