Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY

From: agetchel () kde state ky us
Date: Wed, 21 Feb 2001 10:34:05 -0500
You seem to have made a whole bunch of assumptions about what I was
talking about when I said "firewall" and in essence, none of them are
true.  I never said anything about 'stateful inspection' or 'packet
filtering'.


        I guess I have.  When someone says 'firewall' I think
layer-3/layer-4 firewall, as a layer-7 firewall is usually spoken
'application proxy', 'proxy firewall', or 'application gateway'.  Usually a
distinction is made.


A firewall is a firewall, be that what it is.
You buy it to protect your network and servers from hackers.

If it can't protect your web server from hackers then what sort of
protection is it really providing you?


        I believe I made that clear when I said:

"For example, our layer-3/layer-4 firewall can't provide layer-7 security
(against exploits such as buffer overflows or Unicode attacks) to our ten
server proxy cluster, but it blocks over a hundred access attempts per day
from people try to establish a NetBIOS session with them."

        Over a hundred times a day our layer-3/layer-4 firewall is keeping
folks from attempting to access our proxy cluster.  That's why we bought it.
Nobody (we sure didn't) should have the expectation that it can solve all of
your problems and protect your servers from all types of attacks.  I believe
I made that clear when I said:

"What I'm trying to say here is that there's no _one_ security device that
solves every problem and therefore no _one_ security device that is 100%
guaranteed to protect servers from exploits."


Actually, you didn't say it before (or at least not in any 
email I've read).


        Sigh.

"To address security problems at a higher layer, and protect against the
above mentioned web site defacements, you need to think about patching your
boxes and using a reverse application proxy that can detect attacks which
may be used in the defacement process (such as Unicode attacks or, like I
mentioned above, buffer overflow attacks)."


That's not the question I asked.  I asked why shouldn't 
firewalls protect
web servers.  Stop cheating.



Or are you willing to withdraw that comment about firewalls only being
low-level devices? :-)


        No, but I'm willing to modify it to _clarify_ that layer-3/layer-4
firewalls can't protect against layer-7 attacks.  Which was the point that I
was trying to convey in the example I gave.  In the example I was _clearly_
talking about layer-3/layer-4 firewall in the fact that I stated it didn't
care about layer-7 information (HTTP data).  Try reading it again.


I didn't state that it couldn't do the job - you did.
I asked this:


Why can't it?  Or more to the point, why shouldn't it?


(You should really try reading what people write in emails, 
not what you
 think has been written.)


        Again, I think we have more of a difference of terminology here
rather than a disagreement on what kind of security measures 'firewalls'
(definition including application proxies) can provide.


Oh really?  That's news to me :)  If I install Gauntlet, it 
will magically
protect my web server from defacing - hmmm, I'd like to see 
that :)  I'm
sure the NAI folk could sell it well if it were true too :)


        No, but it's going to help, just like a layer-3/layer-4 firewall
will against certain types of attacks.


Or did the media redefine firewall to only mean packet filters while
we weren't watching ?  They already stole "hacker"...


        No, but like I stated above, I think we have a conflict of
terminology on our hands.  I'm trying (and have been trying) to say that a
layer-3/layer-4 firewall can't provide layer-7 security and you shouldn't
believe that it can (which I don't think you do).  Yes, a 'firewall'
(definition including application proxies) can.  I _think_ we can agree on
that. =)

        BTW-Where you at the SANS Conference in New Orleans last month?  The
name 'Darren Reed' sounds familiar, I thought I might have met you there.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel () kde state ky us
Web     http://www.kde.state.ky.us/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: