Firewall Wizards mailing list archives
RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY
From: agetchel () kde state ky us
Date: Wed, 21 Feb 2001 10:34:05 -0500
You seem to have made a whole bunch of assumptions about what I was talking about when I said "firewall" and in essence, none of them are true. I never said anything about 'stateful inspection' or 'packet filtering'.
I guess I have. When someone says 'firewall' I think layer-3/layer-4 firewall, as a layer-7 firewall is usually spoken 'application proxy', 'proxy firewall', or 'application gateway'. Usually a distinction is made.
A firewall is a firewall, be that what it is. You buy it to protect your network and servers from hackers. If it can't protect your web server from hackers then what sort of protection is it really providing you?
I believe I made that clear when I said: "For example, our layer-3/layer-4 firewall can't provide layer-7 security (against exploits such as buffer overflows or Unicode attacks) to our ten server proxy cluster, but it blocks over a hundred access attempts per day from people try to establish a NetBIOS session with them." Over a hundred times a day our layer-3/layer-4 firewall is keeping folks from attempting to access our proxy cluster. That's why we bought it. Nobody (we sure didn't) should have the expectation that it can solve all of your problems and protect your servers from all types of attacks. I believe I made that clear when I said: "What I'm trying to say here is that there's no _one_ security device that solves every problem and therefore no _one_ security device that is 100% guaranteed to protect servers from exploits."
Actually, you didn't say it before (or at least not in any email I've read).
Sigh. "To address security problems at a higher layer, and protect against the above mentioned web site defacements, you need to think about patching your boxes and using a reverse application proxy that can detect attacks which may be used in the defacement process (such as Unicode attacks or, like I mentioned above, buffer overflow attacks)."
That's not the question I asked. I asked why shouldn't firewalls protect web servers. Stop cheating.
Or are you willing to withdraw that comment about firewalls only being low-level devices? :-)
No, but I'm willing to modify it to _clarify_ that layer-3/layer-4 firewalls can't protect against layer-7 attacks. Which was the point that I was trying to convey in the example I gave. In the example I was _clearly_ talking about layer-3/layer-4 firewall in the fact that I stated it didn't care about layer-7 information (HTTP data). Try reading it again.
I didn't state that it couldn't do the job - you did. I asked this:Why can't it? Or more to the point, why shouldn't it?(You should really try reading what people write in emails, not what you think has been written.)
Again, I think we have more of a difference of terminology here rather than a disagreement on what kind of security measures 'firewalls' (definition including application proxies) can provide.
Oh really? That's news to me :) If I install Gauntlet, it will magically protect my web server from defacing - hmmm, I'd like to see that :) I'm sure the NAI folk could sell it well if it were true too :)
No, but it's going to help, just like a layer-3/layer-4 firewall will against certain types of attacks.
Or did the media redefine firewall to only mean packet filters while we weren't watching ? They already stole "hacker"...
No, but like I stated above, I think we have a conflict of terminology on our hands. I'm trying (and have been trying) to say that a layer-3/layer-4 firewall can't provide layer-7 security and you shouldn't believe that it can (which I don't think you do). Yes, a 'firewall' (definition including application proxies) can. I _think_ we can agree on that. =) BTW-Where you at the SANS Conference in New Orleans last month? The name 'Darren Reed' sounds familiar, I thought I might have met you there. Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education Voice 502-564-2020x225 E-mail agetchel () kde state ky us Web http://www.kde.state.ky.us/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY agetchel (Feb 21)