Dailydave mailing list archives

Re: This just in: Firewalls are obsolete

From: "I)ruid" <druid () caughq org>
Date: Tue, 12 Jul 2005 12:14:09 -0500

On Tue, 2005-07-12 at 01:39 +0200, Florian Weimer wrote:

* Blue Boar:

Firewalls exist so that people can do risky things behind them.  Such as
running complex protocols.


In order to offer any protection, the firewall has to implement the
complex protocol -- and countless others.  This means that the
firewall vendor is at a disadvantage compared to the original protocol
author (less focus, often less information).  I don't think most
firewall vendors use radically different implementation techniques;
it's mostly C or C++, with the usual problems.  Often, the net result
is a protocol implementation at the firewall level which is
incomplete, does not completely protect the actual service, and has
security bugs on its own.


He said /behind/ the firewall, not /through/ the firewall.  If complex
protocol X is being spoken internally on ports 214 & 31337, the firewall
itself couldn't care less how to speak the protocol, it just knows it's
blocking ports 214 & 31337.

-- 
I)ruid, C²ISSP
druid () caughq org
http://druid.caughq.org

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: This just in: Firewalls are obsolete, (continued)
- Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
  - Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
    - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
  - Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
    - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
    - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
    - Re: This just in: Firewalls are obsolete Blue Boar (Jul 11)
    - Re: This just in: Firewalls are obsolete I)ruid (Jul 12)
  - Re: This just in: Firewalls are obsolete rdump (Jul 12)
- Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
  - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete Gadi Evron (Jul 11)
    - Re: This just in: Firewalls are obsolete Florian Weimer (Jul 11)
    - Re: This just in: Firewalls are obsolete byte_jump (Jul 12)
  - Re: This just in: Firewalls are obsolete Derek Vadala (Jul 11)
  - Re: This just in: Firewalls are obsolete Daniele Muscetta (Jul 12)
    - Re: This just in: Firewalls are obsolete dan (Jul 12)
- Re: This just in: Firewalls are obsolete nakona () alltel net (Jul 13)

(Thread continues...)