Re: Firewall Primitives

[Mikael Olsson <mikael.olsson () clavister com>]

"Marcus J. Ranum" wrote:
> Older systems _were_ perfectly capable of doing checks for malicious
> behavior. A few of them did, even the first proxy firewalls. The
> reason firewalls don't do exhaustive checks has more to do with
> market dynamics and time-to-market than it does with performance
> issues in doing fast checks.

Any chance I could get you to agree that this also _could_ be related 
to the sheer number of protocols in common use today?

Doing thorough app logic on telnet, SMTP, NTTP and FTP is one thing.
(Well, actually, the FTP assumptions broke completely when Java was 
 introduced, but that's another story :))

AFAIR, things started going south when HTTP was becoming popular and
wasn't proxyfied soon enough. (And, yes, I do recall why that was.)


This is not to say that a thoroughly secure firewall (as in collection
of systems) shouldn't be composed of well-written application gateways
(postfix/qmail for mail definately qualifies here), compartmentalize 
stuff (do your surfing/mail reading on a terminal server in a separate 
zone) and whatnot. 

But, really, I can't say I'm surprised that the vast majority of 
firewall installs are just packet filters (or proxies using mainly
plug-gws).  When you move beyond well-defined standardized protocols 
(in which I most certainly do NOT include the fast-moving target HTTP), 
anything approaching thorough application analysis becomes... hard.   
"Whoops! New version of $business-critical-multimedia-app released! 
The proxy broke again!"


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards