Firewall Wizards mailing list archives
Re: Firewalls Compared
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Tue, 29 Jun 2004 23:33:51 +0530
On 28/06/04 23:52 -0400, Stiennon,Richard wrote:
Am I the only one that sees a huge difference between an application proxy (ala the good old days of server based firewalls) and filters that are applied to payloads (ala Network Intrusion Prevention) by inline network devices?
I see a difference too. The first is a good thing. The second has considerably less value. (generalisations follow, they might not be applicable everywhere) As I understand it, proxies watch for known good traffic. They will filter out stuff which is not known to be good. IPS watches for known bad traffic. It only responds to that which is known to be bad. This is a lousy setup for a firewall. Firewalls MUST be in a default DENY mode.
Let's keep in mind that stateful inspection firewalls are GREAT security devices. They protect over 80% of enterprise networks today. SQL Slammer cannot get through a firewall with port 1443 blocked. Same for MSBlaster, Welchia etc.
1433. But why would your firewall even bother to explicitly close port 1433? Would you not allow only specific ports to go through in the first place?
However, worms can come in through infected laptops or third party connections. When they connect directly to the corporate LAN you are toast. It turns out IPS is great at blocking worms and it is easier
So why do you allow them to connect directly to the corporate LAN? Keep them on a separate subnet. Limit the access of systems which go outside the controlled corporate environment until they are checked for security. This is a policy issue. Fix the problem at layer 8. "Take your laptop home, but then you need to go through these processes every time you do so".
to deploy IPS internally because policy setting is simple: MS Blaster yes/no?
Worms generally target Microsoft vulnerabilities.
Then your answer is obvious. Don't run that vulnerable software!
Are you going to write application proxies for Exchange? ASN 1? Does anyone other than MSFT even know how these applications communicate? Not.
So don't run them. And explicitly tell your Microsoft representative that you will not use those products because there is no third party proxy for those protocols *and* they are not documented. Nothing will fix that issue faster than lost and/or cancelled orders.
But, you know what the vulnerability looks like and could look at traffic and identify malicious activity even without signatures. The future of network security is all about inspecting traffic. It is not about application proxies.
Hint: Application proxies insect traffic. Devdas Bhagat PS: What happens when the traffic is encrypted? Where do you fight the attacker? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Firewalls Compared, (continued)
- RE: Firewalls Compared Eugene Kuznetsov (Jun 29)
- RE: Firewalls Compared Ben Nagy (Jun 30)
- Re: Firewalls Compared Devdas Bhagat (Jun 30)
- Re: Firewalls Compared Crispin Cowan (Jun 30)
- Message not available
- Re: Firewalls Compared ArkanoiD (Jun 29)
- Message not available
- Re: Firewalls Compared Dave Piscitello (Jun 24)
- RE: Re: Firewalls Compared Christopher Lee (Jun 21)
- RE: Firewalls Compared Ben Nagy (Jun 30)
- Re: Firewalls Compared Devdas Bhagat (Jun 30)
- Message not available
- RE: Firewalls Compared Marcus J. Ranum (Jun 30)