Re: Firewalls Compared

[Devdas Bhagat <devdas () dvb homelinux org>]

On 28/06/04 23:52 -0400, Stiennon,Richard wrote:
> Am I the only one that sees a huge difference between an application
> proxy (ala the good old days of server based firewalls) and filters that
> are applied to payloads (ala Network Intrusion Prevention) by inline
> network devices? 
I see a difference too. The first is a good thing. The second has
considerably less value.

(generalisations follow, they might not be applicable everywhere)
As I understand it, proxies watch for known good traffic. They will
filter out stuff which is not known to be good.

IPS watches for known bad traffic. It only responds to that which is
known to be bad. This is a lousy setup for a firewall.

Firewalls MUST be in a default DENY mode.

> Let's keep in mind that stateful inspection firewalls are GREAT security
> devices. They protect over 80% of enterprise networks today.  SQL Slammer
> cannot get through a firewall with port 1443 blocked. Same for MSBlaster,
> Welchia etc.  
1433. But why would your firewall even bother to explicitly close
port 1433? Would you not allow only specific ports to go through in the
first place?

> However, worms can come in through infected laptops or third party
> connections. When they connect directly to the corporate LAN you are
> toast. It turns out IPS is great at blocking worms and it is easier
So why do you allow them to connect directly to the corporate LAN?
Keep them on a separate subnet. Limit the access of systems which go
outside the controlled corporate environment until they are checked for
security. This is a policy issue. Fix the problem at layer 8.

"Take your laptop home, but then you need to go through these processes
every time you do so".

> to deploy IPS internally because policy setting is simple:  MS Blaster
> yes/no? 

> Worms generally target Microsoft vulnerabilities. 
Then your answer is obvious. Don't run that vulnerable software!

> Are you going to write application proxies for Exchange? ASN 1? Does
> anyone other than MSFT even know how these applications communicate? Not.
So don't run them. And explicitly tell your Microsoft representative
that you will not use those products because there is no third party
proxy for those protocols *and* they are not documented.

Nothing will fix that issue faster than lost and/or cancelled orders.

>  But, you know what the vulnerability looks like and could look at
> traffic and identify malicious activity even without signatures. The
> future of network security is all about inspecting traffic. It is not
> about application proxies. 
Hint: Application proxies insect traffic. 

Devdas Bhagat
PS: What happens when the traffic is encrypted? Where do you fight
the attacker?
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards