Firewall Wizards mailing list archives
Re: Antwort: Re: Facts, not Fiction
From: "Paul D. Robertson" <proberts () clark net>
Date: Mon, 10 Nov 1997 20:07:08 -0500 (EST)
On Mon, 10 Nov 1997 Hartmut.Fehling () Hamburg-Mannheimer de wrote:
Example: I have an NT-Host behind the FW which is vulnerable to POD or NetBIOS-Attacks. However, the FW-Host is supposed to filter out this kind of traffic. How far can I trust the _current_ products to do just that?
In an application layer gateway which doesn't forward, you should be able to build a high level of trust if you don't have proxies for the applications *and* the firewall itself isn't vulnerable. In a packet filtering firewall, as much as you trust the particular implementation. But of course, proxies get to be the same difficulty when it comes to things at the application's transport layer. Trust modeling is complex, and the barriers to entry into a trusted space are quite high, and the path long. That's why you'll see a lot of us arguing against jumping to the 'latest and greatest' of anything, be it OS, product, or service. Your audit points, ability to have good audits, and following the issues should give you assurance based on your extension of trust. Lastly, trust shouldn't be absolute. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Antwort: Re: Facts, not Fiction Hartmut . Fehling (Nov 10)
- Re: Antwort: Re: Facts, not Fiction Bennett Todd (Nov 10)
- Re: Antwort: Re: Facts, not Fiction Paul D. Robertson (Nov 12)
- Re: Antwort: Re: Facts, not Fiction Darren Reed (Nov 12)
- Denial Of Service: is it a security issue? (was Re: Ant...) Bennett Todd (Nov 12)