Firewall Wizards mailing list archives
Re: How automate firewall tests
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Mon, 21 Aug 2006 09:38:57 -0400
Tim Shea wrote:
And you can equally argue that proxies were never good to begin with. Really - the majority of applications out there have no real layer 7 level proxy so you have to tackle the problem from other directions.
That's exactly what I mean. It goes deeper than that, really. Most applications out there today have no layer 7 *specification* -- never mind a proxy. They're simply a bunch of poorly-understood stuff going back and forth on a connection. Nobody can filter it for correctness because nobody even knows what correctness *means* in that case. Or, you get protocols like the VOIP suite, which are an amalgamation of poorly-designed and over-designed standards and features; there's no sensible way to go through and apply protocol minimization because there's no real protocol, just a feature set driven by a bunch of commands that are executed in an arbitrary order. Insecurity is a problem of complexity and trust. We can't fix trust with technology, and the complexity of current applications software has completely escaped our grasp. Until such a time when app protocols are well-designed and specified (ain't gonna happen!) we're not going to have meaningful progress in security, we'll just have the "band aid of the month club." For the record, I never felt firewalls were a solution to the problem (proxy or otherwise) they're simply a centralizable band aid. The reason that packet-oriented firewalls suck is because they're locked into the permit/deny-packet model and that means it's impossible to do protocol minimization. I don't think anyone does that any more, anyhow, so it's largely a moot point. On the other hand, the customers of the "computer security industry" are spending about $1 billion annually on all the computer security "solutions" yet the sitation is getting worse. What does that tell you? It tells me the "conventional wisdom" isn't. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- How automate firewall tests Strabla Ruggero (Aug 17)
- Re: How automate firewall tests Marcus J. Ranum (Aug 17)
- Re: How automate firewall tests Durga Prasad (Aug 18)
- Re: How automate firewall tests Marcus J. Ranum (Aug 18)
- Re: How automate firewall tests Isaac Van Name (Aug 20)
- Re: How automate firewall tests Marcus J. Ranum (Aug 20)
- Re: How automate firewall tests Tim Shea (Aug 21)
- Re: How automate firewall tests Paul D. Robertson (Aug 21)
- Re: How automate firewall tests ArkanoiD (Aug 21)
- Re: How automate firewall tests Marcus J. Ranum (Aug 21)
- Re: How automate firewall tests Chris Blask (Aug 22)
- Re: How automate firewall tests Patrick M. Hausen (Aug 22)
- Re: How automate firewall tests Chris Blask (Aug 23)
- Re: How automate firewall tests Crispin Cowan (Aug 28)
- Re: How automate firewall tests Marcus J. Ranum (Aug 28)
- Re: How automate firewall tests Marcus J. Ranum (Aug 28)
- Re: How automate firewall tests Cat Okita (Aug 29)
- Re: How automate firewall tests Durga Prasad (Aug 18)
- Re: How automate firewall tests Marcus J. Ranum (Aug 17)
- Re: How automate firewall tests Marcus J. Ranum (Aug 23)
- Re: How automate firewall tests Jim Seymour (Aug 23)
- Re: How automate firewall tests Tina Bird (Aug 23)