Firewall Wizards mailing list archives

Re: FW appliance comparison - Seeking input for the forum

From: "Patrick M. Hausen" <hausen () punkt de>
Date: Wed, 18 Jan 2006 23:29:54 +0100

Hi!

On Wed, Jan 18, 2006 at 03:27:20PM -0500, Paul Melson wrote:

Why would you want a signature based IDS at all? They don't work.
Period. Enumerating badness is a silly idea.


Sure they do.  The premise may be flawed, but the technology works, even if
it falls into the "better than nothing" category.  They're smoke detectors
for a small subset of possible fires.  Using one is still better than
letting the house burn to the ground each and every time there's a fire.


You are correct and I oversimplified the issue. They are useful.
They don't increase the "security" of flawed firewall
designs, though.

See my previous post.  Just because you enforce HTTP over TCP/80 with a
proxy doesn't mean you're keeping all of the garbage out... or in.


I'm not talking about enforcing HTTP. I'm talking about enforcing
application data. I know of a firewall vendor actively developing
an Active Directory proxy enforcing which side of the proxy is
allowed which methods and objects on the other side of the proxy.

There are products that let you configure a positive list of
URLs that your web application uses. Everything else will be
denied. This catches _all_ of "GET /../../../WINDOWS/SYSTEM32/CMD.EXE ..."
and the like. If configured correctly.

Mechanism is nothing without policy. And firewalls are mechanism.

Not to
mention that there are plenty of standard, known protocols out there (think
SQL protocols) that lack a good proxy to manage the actual behavior of the
connections that cross them.


The very same vendor has got an MS SQL proxy that actually understands
MS SQL.

Not to mention that the real bad guys are tunneling across the
allowed ports while you sleep.


Firewalls have never been about ports. Most current commercial
offerings are, but I hardly call _these_ firewalls.

Kind regards,
Patrick
-- 
punkt.de GmbH         Internet - Dienstleistungen - Beratung
Vorholzstr. 25        Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe       http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: FW appliance comparison - Seeking input for the forum, (continued)
- - - Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)
    - Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 27)
    - RE: FW appliance comparison - Seeking input for the forum lordchariot (Jan 27)
    - Re: FW appliance comparison - Seeking input for the forum Anton Chuvakin (Jan 27)
    - Re: FW appliance comparison - Seeking input for the forum Paul D. Robertson (Jan 20)
    - Re: FW appliance comparison - Seeking input for the forum Greg Spath (Jan 20)
    - Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 18)
    - Re: FW appliance comparison - Seeking input for the forum Marcus J. Ranum (Jan 18)
    - Re: FW appliance comparison - Seeking input for the forum Marcus J. Ranum (Jan 18)
    - RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 18)
    - Re: FW appliance comparison - Seeking input for the forum Patrick M. Hausen (Jan 18)
    - RE: FW appliance comparison - Seeking input for the forum Paul Melson (Jan 19)
    - RE: FW appliance comparison - Seeking input for the forum Cat Okita (Jan 19)
- RE: FW appliance comparison - Seeking input for the forum Behm, Jeffrey L. (Jan 25)
  - Re: FW appliance comparison - Seeking input for the forum ArkanoiD (Jan 25)