RE: Re: Air Gaps vs. Firewalls

[Ryan Russell <ryan () securityfocus com>]

On Tue, 3 Oct 2000, Rick Smith wrote:

> In other words you're trying to restrict the URLs *at the firewall* to 
> match the anticipated properties of the web applications being restricted 
> on one side or the other. This sounds very similar to strategies we tried 
> with DBMS proxies a few years back.

You're right, this would be really, really hard to get right, and match
the web app.  Heck, if you could get the specs good enough that you could
spell out the URL formats allowed, you could probably get it right at the
web server.  Never hurts to have a backup enforcer, though.

Where something like this would really be fun is in a situation where the
firewall admin/security officers/whatever is supposed to approve new web
apps.  This would actually give them a way to enforce the policy.

I used to have a problem at a previous job with systems administrators
attaching new machines to the DMZ, thinking they were going to go
live.  They could get an address, and figure out which port to plug into
on the switch, but they got nowhere until I changed the firewall
config. (After completeing the lockdown/review process that was supposed
to happen before they got that far, of course.)

                                                Ryan


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards