Re: Ports/applications permitted for Guest Access

[Shannon Roddy <sroddy () LIGO-LA CALTECH EDU>]

On Sep 11, 2011, at 12:11 PM, Dave Koontz wrote:

> As you've discovered, port based firewalls are no longer adequate in today's world.  Any application can disguise 
> itself as web traffic (http or https), and many "bad" things do.

Many good, legitimate things do too.  I have been known to run a kdc or two on port 443 because of port based blocking 
so that users can kinit even when they can't get a VPN connection.  Nothing aggravates me more than an outbound port 
based firewall that won't even let one establish a VPN connection.  In many ways, poorly managed or overly paranoid 
port based firewalls are why we have a port 80/443 world.

> You need a firewall that can understand applications regardless of ports used.
>
> Take a look at Palo Alto networks solutions or any other next generation firewalls.  I really believe Palo Alto has a 
> huge lead currently in this market. I am sure that Cisco, Foundry, Juniper and others will catch up in a couple of 
> years, but for now Palo Alto has a clear lead.  Take a look at the last Gartner's Firewall report to see what I mean.
>
> --
> Dave Koontz
> Mary Baldwin College
> Staunton, Virginia
>
> On 9/11/2011 10:39 AM, Robert Lau wrote:
> > Is anybody doing protocol/application inspection?  Once ports 80/443/22/etc are allowed, an app can pump any data 
> > through; it does not have to be http/https/ssh/etc.  In olden days, this would probably only be done by a clueful 
> > user, but many applications do this automatically now specifically to handle port restrictions.
> >
> > -robert