Firewall Wizards mailing list archives
Re: IPS vs. Firewalls (why vs. ?)
From: Dave Piscitello <dave () corecom com>
Date: Tue, 07 Feb 2006 14:53:42 -0500
Marcus J. Ranum wrote:
This is exactly what I meant about whether a device is internally designed around 'default permit' or 'default deny'. A device that is aimed toward default deny would know what totally vanilla HTTP looked like and would discard anything that was not exactly plain HTTP.
I made a similar comment.
Protocol-over-protocol tunnelling is nothing new. But step back and ask yourself "why tunnel protocol over protocol"?? There is actually no real reason for tunnelling except to make it easier to bypass controls, right? After all, if we use SSL on port 443 for "https" and SSL on port 993 for "imap" etc, it's clear that we can use protocol layering without trying to violate policy... So I, frankly, I feel that if I see instant messenger traffic on my HTTP service that I've caught someone with their hand in the cookie jar, so to speak. Time to cut it off...
Yep.
Remember, a lot of these tunnelled protocols are billed as being"firewall friendly."
The marketing euphemism is "firewall aware" not "firewall friendly".To truly understand what firewall administrators are up against, read the Skype firewall FAQ at http://www.skype.com/help/guides/firewall.html
One statement that stands out among all others as most onerous:"Ideally, outgoing TCP connections to all ports (1..65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype to be able to connect to the Skype network and will not make your network any less secure."
I think I've identified candidate skulss for those .50 BMG SLAP rounds you mentioned.
Attachment:
dave.vcf
Description:
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Re: IPS vs. Firewalls, (continued)
- Re: IPS vs. Firewalls Kevin (Feb 02)
- RE: IPS vs. Firewalls Paul Melson (Feb 07)
- Re: IPS vs. Firewalls Gabriele Buratti (Feb 03)
- Message not available
- Re: IPS vs. Firewalls Marcus J. Ranum (Feb 02)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 03)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Marcus J. Ranum (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Dave Piscitello (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Richard Stiennon (Feb 08)
- Re: IPS vs. Firewalls Kevin (Feb 02)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 08)
- Re: IPS vs. Firewalls (why vs. ?) Chris Byrd (Feb 08)
- RE: IPS vs. Firewalls (why vs. ?) Ben Nagy (Feb 07)
- Re: IPS vs. Firewalls (why vs. ?) Gabriele Buratti (Feb 08)
- Re: IPS vs. Firewalls Julian M D (Feb 03)