Dailydave mailing list archives

Re: This just in: Firewalls are obsolete

From: Florian Weimer <fw () deneb enyo de>
Date: Tue, 12 Jul 2005 01:39:30 +0200

* Blue Boar:

Firewalls exist so that people can do risky things behind them.  Such as
running complex protocols.

I don't see much drop in use of risky protocols, so I don't expect the
use of firewalls to go down much.


In order to offer any protection, the firewall has to implement the
complex protocol -- and countless others.  This means that the
firewall vendor is at a disadvantage compared to the original protocol
author (less focus, often less information).  I don't think most
firewall vendors use radically different implementation techniques;
it's mostly C or C++, with the usual problems.  Often, the net result
is a protocol implementation at the firewall level which is
incomplete, does not completely protect the actual service, and has
security bugs on its own.

In almost all cases, if you run two software packages instead of one,
you get the union of all their bugs, not the intersection.  The
application you're trying to protect must be in a really, really bad
sgape before this equation changes.  Of course, such things do happen
in practice (cf. web applications and SQL injection), but to fix these
mishaps, you have to go well beyond typical firewalling efforts.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

This just in: Firewalls are obsolete Jonatan B (Jul 11)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
  - Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
    - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
  - Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
    - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
    - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
    - Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
    - Re: This just in: Firewalls are obsolete I)ruid (Jul 12)
  - Re: This just in: Firewalls are obsolete rdump (Jul 12)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
  - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
    - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)

(Thread continues...)