Firewall Wizards mailing list archives
Re: encapsulated protocols?
From: Adam Shostack <adam () homeport org>
Date: Thu, 5 Feb 1998 02:46:07 -0500 (EST)
Aleph One wrote: | On Wed, 4 Feb 1998, Adam Shostack wrote: | | > To recap: I think packet filters are the wave of the mass | > market future, because proxies do not offer enough speed for the | > (hard to understand) security wins that they offer. I think there | > will be a variety of tools and applications to help you secure the | > machines behind your packet filters. Those tools and applications | > will be a lot more useful where there are security features to build | > on. Securing Win31-98 will remain a huge pain in our craw for a long | > time. | | You conclude that proxies are not cost effective because they do no | understand the tunneling done over HTTP by certain protocols. No, I conclude that *for the mass market* packet filters will win because 1. They're faster This is inherent in the design of a proxy. It must parse the TCP/IP headers and the tcp stream, packet filters only need to parse the headers. 2. The benefit of a proxy is hard to understand This was my experience as a consultant. It usually took upwards of half an hour to explain the benefits of a plug to a technical manager well enough that they really saw what I meant. Nothing that takes half an hour to explain wins in the mass market. 3. Exploits are easier to write than proxies, and there are better exploit cookbooks, and there are more people writing exploits than proxies. (N+1. They're less secure, and less secure almost always wins.) | Following your line of thought applications such as Secure Networks | Ballista, ISS's Internet Security Scanner and even Netect's product are | useless as well since they can't defend you agains new or unknown | vulnerabilities they do not yet test for. Thats not the way I'd state it, but yes, I can make the case for every security tool out there being close to worthless. As a Well Known Expert said to me this summer, "I may have depressed myself out of a job." I choose to follow Bellovin, and quote 'It is not your part to finish the task, yet you are not free to desist from it.' (I'll happily expound on this over beer at the next conference we both attend.) Let me explain the value of tools like Ballista, ISS, and Netective as I see them. Firewalls are becoming more porous for a variety of reasons. These include the real world popularity of packet filters (and packet filters running on NT. Checkpoint has 50% of the market, and they see a much larger customer demand for NT based firewalls. I see NT as not yet ready for prime time in the security domain.) It also includes the growth of extranets, intranet connections to partners/competitors, etc. (See MJR's Future of Firewalls off http://www.clark.net/pub/mjr/pubs/index.shtml) Another reason I'm less and less fond of firewalls beyond packet filters is that it concetrates your security efforts at what I've come to believe is the wrong place. A packet filter is useful because it allows you to conenect to the internet without exposing your intranet. A proxy is useful for the same reason, but it offers enhanced defense for the machines behind it. This, in practice, leads companies to fail to properly secure the machines behind it. This means that those machines are not secure against attack by employees, temps, contractors, employees of your business partners, etc. As the extranet marketecure continues to win executive support without proper consideration being given to security, this becomes more an more dangerous. Thus, I see a value in assessment tools that offer the ability to rapidly check machines for vulnerabilities. | The problem is that you view your firewall as a static component that does | not change. Network security scanners like the ones you mentions have come | with a subscription to updates that include new vulnerabilities as they | are found. In a similar way, firewall should include a subscription to | updates that would include new protocols and encapsulated protocols as the | firewall vendor implementes them. Should != Do. I'll note that one of Netect's advantages is a push based update mechanism that will allow us to update our customers very quickly. (This update mechanism is where we'll be partering with PGP/NAI--every copy of Netective includes pgp to verify the updates as they come in, and an install-update program to process them in a secure and paranoid fashion. That program is shipped crystal box.) | In this case you firewall vendor should send you an updated that deal with | VXTreme (RealAudio, etc) streaming over HTTP. Proxies take longer to develop than exploits. When a problem is found, its easier to develop a test for the problem, and ship that with pointers to vendor patches than it is to develop a new proxy and ship that. Both approaches are useful. The proxy mechanism was developed because it was easier to do than quickly updating all of your machines. I expect that a hybrid approach, based on packet filters, fast vulnerability assessment, intrusion detection, and maybe other things like strong encryption, the abandonment of application programming in C, (and other fixed length string langagues) will provide the security of the future. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- encapsulated protocols? Mark Horn [ Net Ops ] (Feb 03)
- Re: encapsulated protocols? Adam Shostack (Feb 04)
- Re: encapsulated protocols? Aleph One (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 06)
- Re: encapsulated protocols? Mark Horn [ Net Ops ] (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 07)
- IPsec and firewalls Aleph One (Feb 07)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Aleph One (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Adam Shostack (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Re: encapsulated protocols? Aleph One (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 04)
- Effect of full disk on logging under FW-1 v 2.1? Bret Watson (Feb 09)
- Re: IPsec and firewalls Ted Doty (Feb 09)