Firewall Wizards mailing list archives
Re: encapsulated protocols?
From: "Mark Horn [ Net Ops ]" <mhorn () funb com>
Date: Thu, 5 Feb 1998 10:10:58 -0500
Adam Shostack says:
No, I conclude that *for the mass market* packet filters will win because 1. They're faster
That really depends on the proxy and the application, doesn't it? In the particular case that started this whole issue, we were talking about HTTP. There are several caching HTTP proxies available. For HTTP performance to the Internet, it's hard to beat a cache. Now as soon as you start talking about stateful packet filters, you're also talking about something that, in addition to parsing the headers, also parses some of data stream. In both cases, proxies vs. stateful packet filtering, you have to parse the headers and the data. You've just lost the inherent speed benefit that is supposed to come with packet filters. If you decide that you only want a packet filter that only inspects the headers, you've compromised more of your security because the data stream is what really counts. Of course, almost every protocol carries some significant amount of data in their packets. And the data is, more or less, arbitrary. Anything can be put into that data portion, including encapsulating the entirety of TCP/IP. And that's true for proxies as well as packet filters. The long and short of this boils down to that last sentance. How do you prevent encapsulating entirely new communications streams inside the data portion of a packet? That's the question. It is the same question for stateful packet filtering as for proxies.
This, in practice, leads companies to fail to properly secure the machines behind it.
Isn't that entirely the point? You said that you "follow Bellovin", well, don't forget about the fundamental theorem of firewalls (please reference "Firewalls and Internet Security" by Cheswick & Bellovin, p.7). The fact that companies want to run large, and inherently buggy programs is a failure to properly secure any machine that's running that large and inherently buggy program. I agree that it is very easy to get complacent, and think that you don't need to do anything to the machines behind the firewall. But those machines, as long as they're running any program of any reasonable complexity can never be completely secured. Thus, while having a firewall is only a piece of the puzzle, you can never have complete internal security, so you'll always need a firewall. -- Mark Horn <mhorn () funb com> PGP Public Key available at: http://www.es.net/hypertext/pgp.html PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1
Current thread:
- encapsulated protocols? Mark Horn [ Net Ops ] (Feb 03)
- Re: encapsulated protocols? Adam Shostack (Feb 04)
- Re: encapsulated protocols? Aleph One (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 06)
- Re: encapsulated protocols? Mark Horn [ Net Ops ] (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 07)
- IPsec and firewalls Aleph One (Feb 07)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Aleph One (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Re: IPsec and firewalls Adam Shostack (Feb 09)
- Re: IPsec and firewalls carson (Feb 09)
- Re: encapsulated protocols? Aleph One (Feb 06)
- Re: encapsulated protocols? Adam Shostack (Feb 04)
- Effect of full disk on logging under FW-1 v 2.1? Bret Watson (Feb 09)
- Re: IPsec and firewalls Ted Doty (Feb 09)
- Re: encapsulated protocols? Aleph One (Feb 07)