Firewall Wizards mailing list archives

Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)

From: Balazs Scheidler <bazsi () balabit hu>
Date: Sat, 11 Aug 2001 14:13:09 +0200

On Wed, Aug 08, 2001 at 09:44:42AM +1000, Darren Reed wrote:

In some email I received from Joseph Steinberg, sie wrote:

So you're saying every piece of software that interacts with another via
the network is to be filtered through an application proxy/tool ?
I find that unacceptable.

How the heck do we know that this filter isn't buggy ?
Where are the gaurantees for it saying it has no buffer overflows ?

Simply deploying more layers between two parties does NOT fix the problem,
just attempts to hide it.

The problem here is quality of software (or lack thereof) and the ability
of vendors to legally provide/sell bugware.


Firewalls (I mean both packet filtering and applevel gateways) wouldn't be
needed _iff_ every host (workstation, server ...) would be a perfect and
secure entity on its own. Given you have thousands of hosts to protect,
possibly running different software, you probably have several
vulnerabilities. Deploying the firewall which _understands_ and verifies
every bits of transmitted transactions _may_ offer a solution without all
your protected hosts being perfect.

A firewall is a single entity to maintain, or to audit, and a single point
where security problems can be solved for a lot of hosts. Of course it's
therefore a single point of failure as well.

You said firewalls themselves can have bugs as well, this is true, this
problem can be remedied (but not solved) by using two different firewalls,
possibly both parsing the application protocol.

The latest CodeRedII worms can easily be filtered without signatures in IDS
systems: it violates the HTTP protocol, the URL it sends contains an invalid
character sequence ('%' must be followed by either another '%' or exactly
two hexadecimal digits), thus a good application gateway can protect against
it. 

I'm not saying that every buffer overflow can be caught by app level
gateways, but chances are that they catch more of them than simple packet
filters.

-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
  - Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Balazs Scheidler (Aug 11)
- <Possible follow-ups>
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 10)