Firewall Wizards mailing list archives
Re: Firewall Primitives
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sat, 09 Nov 2002 20:15:31 +0100
"Marcus J. Ranum" wrote:
Older systems _were_ perfectly capable of doing checks for malicious behavior. A few of them did, even the first proxy firewalls. The reason firewalls don't do exhaustive checks has more to do with market dynamics and time-to-market than it does with performance issues in doing fast checks.
Any chance I could get you to agree that this also _could_ be related to the sheer number of protocols in common use today? Doing thorough app logic on telnet, SMTP, NTTP and FTP is one thing. (Well, actually, the FTP assumptions broke completely when Java was introduced, but that's another story :)) AFAIR, things started going south when HTTP was becoming popular and wasn't proxyfied soon enough. (And, yes, I do recall why that was.) This is not to say that a thoroughly secure firewall (as in collection of systems) shouldn't be composed of well-written application gateways (postfix/qmail for mail definately qualifies here), compartmentalize stuff (do your surfing/mail reading on a terminal server in a separate zone) and whatnot. But, really, I can't say I'm surprised that the vast majority of firewall installs are just packet filters (or proxies using mainly plug-gws). When you move beyond well-defined standardized protocols (in which I most certainly do NOT include the fast-moving target HTTP), anything approaching thorough application analysis becomes... hard. "Whoops! New version of $business-critical-multimedia-app released! The proxy broke again!" -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Firewall Primitives, (continued)
- Re: Firewall Primitives Magosányi Árpád (Nov 05)
- Re: Firewall Primitives Crispin Cowan (Nov 05)
- Re: Firewall Primitives George Capehart (Nov 05)
- Re: Firewall Primitives Crispin Cowan (Nov 06)
- Re: Firewall Primitives Marcus J. Ranum (Nov 06)
- Re: Firewall Primitives Devdas Bhagat (Nov 06)
- Re: Firewall Primitives Marcus J. Ranum (Nov 06)
- Re: Firewall Primitives Devdas Bhagat (Nov 07)
- Re: Firewall Primitives Adam Shostack (Nov 09)
- BS claims (was Re: Firewall Primitives) Marcus J. Ranum (Nov 09)
- Re: Firewall Primitives Mikael Olsson (Nov 09)
- Re: Firewall Primitives Marcus J. Ranum (Nov 09)
- Re: Firewall Primitives Christopher Hicks (Nov 10)
- Re: Firewall Primitives Predrag Zivic (Nov 10)
- Re: Firewall Primitives Stephen P. Berry (Nov 11)
- Re: Firewall Primitives Cat Okita (Nov 11)
- Re: Firewall Primitives Paul Robertson (Nov 11)
- Re: Firewall Primitives Stephen P. Berry (Nov 11)