RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY

[agetchel () kde state ky us]

> Why can't it?  Or more to the point, why shouldn't it?
>
> Isn't that what's it's there to do - protect web servers, etc?
>
> If it can't provide protection from people defacing web servers
> then what's the point of having it in the first place?  Why should
> I pay $10k for a firewall if it can't protect my web server from
> hackers?

        The point of having a traditional layer-3/layer-4 firewall is to
protect from _certain kinds_ of attacks, like I said before, from direct
access attempts to the server itself.  You shouldn't have the expectation
that a standard 'stateful inspection' or 'packet filtering' firewall would
protect you from layer-7 exploits.  If you believe that, then your firewall
software vendor's sales folks are doing a really good job of selling their
product. =)  For example, our layer-3/layer-4 firewall can't provide layer-7
security (against exploits such as buffer overflows or Unicode attacks) to
our ten server proxy cluster, but it blocks over a hundred access attempts
per day from people try to establish a NetBIOS session with them.  Like I
said before, if you want layer-7 security, look at an application proxy.
Why _shouldn't_ layer-3/layer-4 firewalls provide layer-7 security?  Why
shouldn't my steel-toe boots protect my head should I fall down and hit it
on a table?  Because that's not that they're there for.

> That's one role.  But the fail when you start tunnelling one 
> service inside
> another.  This is what you can do with SSH, SOAP, etc.

        Correct.  Like I said before, if you want layer-7 security, look at
something which can inspect the payload of the packet itself to verify the
integrity of the data being sent and received.  Application proxies do a
wonderful job at this.

> That's another role.

        Access control is the _primary_ role of a layer-3/layer-4 firewall
in most cases.

> That's a separate problem.

        No, that's _the_ problem you are trying to solve that you state a
layer-3/layer-4 firewall can't do the job, and you're correct.  That's why
there are application proxies.  They provide layer-7 security which protect
against most all of the typical techniques used for defacing web sites.  If
you want both layer-3/layer-4 security AND layer-7 security, use both tpyes
of devices.

> I beg to differ about that.  Although I'm having some parsing problems
> with the latter part of that sentence.

        What I'm trying to say here is that there's no _one_ security device
that solves every problem and therefore no _one_ security device that is
100% guaranteed to protect servers from exploits.  This is why we have
stateful inspection firewalls AND application proxies.  Why doesn't one
product provide functionality at all layers?  Performance is a good reason.
Providing security at layer-7 is slow, typically, and not appropriate for
all scenarios.

> Who said a firewall had to be only a layer-3/layer-4 device ?
>
> What do you think a proxy firewall does, hmm?

        I know what an application proxy, or 'proxy firewall' as you say it,
is.  It provides layer-7 security like I stated above many times.  I never
said a firewall had too only be a layer-3/layer-4 device, like you said,
because we have application proxies which _are_ a type of firewall.  Perhaps
we should try and define 'firewall'... =)

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel () kde state ky us
Web     http://www.kde.state.ky.us/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards