Firewall Wizards mailing list archives
Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY
From: Darren Reed <darrenr () reed wattle id au>
Date: Wed, 21 Feb 2001 10:18:11 +1100
In some email I received from agetchel () kde state ky us, sie wrote: [Charset iso-8859-1 unsupported, filtering to ASCII...]
Apples and oranges. Of course a firewall can't keep someone from defacing a web server which it's protecting, they work at a lower layer and don't care if that HTTP packet which just entered it's external interface contains a buffer overflow attack.
Why can't it? Or more to the point, why shouldn't it? Isn't that what's it's there to do - protect web servers, etc? If it can't provide protection from people defacing web servers then what's the point of having it in the first place? Why should I pay $10k for a firewall if it can't protect my web server from hackers?
The firewall is there too keep people from telneting, SSHing, or establishing a NetBIOS session with the server and gaining direct access.
That's one role. But the fail when you start tunnelling one service inside another. This is what you can do with SSH, SOAP, etc.
They are an _access control_ device.
That's another role.
To address security problems at a higher layer, and protect against the above mentioned web site defacements, you need to think about patching your boxes and using a reverse application proxy that can detect attacks which may be used in the defacement process (such as Unicode attacks or, like I mentioned above, buffer overflow attacks).
That's a separate problem.
_Any box_ which can be accessed over a network can be broken into, the security devices used to protect that box just make it for the intruder.
I beg to differ about that. Although I'm having some parsing problems with the latter part of that sentence.
Firewalls do a _very good_ job of that.
Bottom line, don't try and solve a layer-7 problem with a
layer-3/layer-4 device.
Who said a firewall had to be only a layer-3/layer-4 device ? What do you think a proxy firewall does, hmm? Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY agetchel (Feb 20)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Darren Reed (Feb 20)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Ng Pheng Siong (Feb 21)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Robert Collins (Feb 25)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Ng Pheng Siong (Feb 26)
- Reversise Proxies? (was Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY) Robert Collins (Feb 26)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Robert Collins (Feb 25)
- <Possible follow-ups>
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Bill_Royds (Feb 21)
- RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY MONTENEGRO,FERNANDO (HP-Canada,ex1) (Feb 26)