Firewall Wizards mailing list archives
Re: FW appliance comparison - Seeking input for the forum
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Wed, 18 Jan 2006 23:29:54 +0100
Hi! On Wed, Jan 18, 2006 at 03:27:20PM -0500, Paul Melson wrote:
Why would you want a signature based IDS at all? They don't work. Period. Enumerating badness is a silly idea.Sure they do. The premise may be flawed, but the technology works, even if it falls into the "better than nothing" category. They're smoke detectors for a small subset of possible fires. Using one is still better than letting the house burn to the ground each and every time there's a fire.
You are correct and I oversimplified the issue. They are useful. They don't increase the "security" of flawed firewall designs, though.
See my previous post. Just because you enforce HTTP over TCP/80 with a proxy doesn't mean you're keeping all of the garbage out... or in.
I'm not talking about enforcing HTTP. I'm talking about enforcing application data. I know of a firewall vendor actively developing an Active Directory proxy enforcing which side of the proxy is allowed which methods and objects on the other side of the proxy. There are products that let you configure a positive list of URLs that your web application uses. Everything else will be denied. This catches _all_ of "GET /../../../WINDOWS/SYSTEM32/CMD.EXE ..." and the like. If configured correctly. Mechanism is nothing without policy. And firewalls are mechanism.
Not to mention that there are plenty of standard, known protocols out there (think SQL protocols) that lack a good proxy to manage the actual behavior of the connections that cross them.
The very same vendor has got an MS SQL proxy that actually understands MS SQL.
Not to mention that the real bad guys are tunneling across the allowed ports while you sleep.
Firewalls have never been about ports. Most current commercial offerings are, but I hardly call _these_ firewalls. Kind regards, Patrick -- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: FW appliance comparison - Seeking input for the forum, (continued)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)
- Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 27)
- RE: FW appliance comparison - Seeking input for the forum lordchariot (Jan 27)
- Re: FW appliance comparison - Seeking input for the forum Anton Chuvakin (Jan 27)
- Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Greg Spath (Jan 20)
- Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Marcus J. Ranum (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Marcus J. Ranum (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 18)
- Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 18)
- RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 19)
- RE: FW appliance comparison - Seeking input for the forum Cat Okita (Jan 19)
- Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)