Firewall Wizards mailing list archives

Re: encapsulated protocols?

From: "Mark Horn [ Net Ops ]" <mhorn () funb com>
Date: Thu, 5 Feb 1998 10:10:58 -0500

Adam Shostack says:

      No, I conclude that *for the mass market* packet filters will
win because

1. They're faster


That really depends on the proxy and the application, doesn't it?  In the
particular case that started this whole issue, we were talking about
HTTP.  There are several caching HTTP proxies available.  For HTTP
performance to the Internet, it's hard to beat a cache.

Now as soon as you start talking about stateful packet filters, you're
also talking about something that, in addition to parsing the headers,
also parses some of data stream.  In both cases, proxies vs. stateful
packet filtering, you have to parse the headers and the data.  You've just
lost the inherent speed benefit that is supposed to come with packet
filters.  If you decide that you only want a packet filter that only
inspects the headers, you've compromised more of your security because the
data stream is what really counts.

Of course, almost every protocol carries some significant amount of data
in their packets.  And the data is, more or less, arbitrary.  Anything can
be put into that data portion, including encapsulating the entirety of
TCP/IP.  And that's true for proxies as well as packet filters.

The long and short of this boils down to that last sentance.  How do you
prevent encapsulating entirely new communications streams inside the data
portion of a packet?  That's the question.  It is the same question for
stateful packet filtering as for proxies.

This, in practice, leads
companies to fail to properly secure the machines behind it.


Isn't that entirely the point?  You said that you "follow Bellovin", well,
don't forget about the fundamental theorem of firewalls (please reference
"Firewalls and Internet Security" by Cheswick & Bellovin, p.7).

The fact that companies want to run large, and inherently buggy programs
is a failure to properly secure any machine that's running that large and
inherently buggy program.  I agree that it is very easy to get complacent,
and think that you don't need to do anything to the machines behind the
firewall.  But those machines, as long as they're running any program of
any reasonable complexity can never be completely secured.

Thus, while having a firewall is only a piece of the puzzle, you can never
have complete internal security, so you'll always need a firewall.

-- 
Mark Horn <mhorn () funb com>

PGP Public Key available at: http://www.es.net/hypertext/pgp.html
PGP KeyID/fingerprt: 00CBA571/32 4E 4E 48 EA C6 74 2E 25 8A 76 E6 04 A1 7F C1

Current thread:

encapsulated protocols? Mark Horn [ Net Ops ] (Feb 03)
- Re: encapsulated protocols? Adam Shostack (Feb 04)
  - Re: encapsulated protocols? Aleph One (Feb 06)
    - Re: encapsulated protocols? Adam Shostack (Feb 06)
    - Re: encapsulated protocols? Mark Horn [ Net Ops ] (Feb 06)
    - Re: encapsulated protocols? Adam Shostack (Feb 07)
    - IPsec and firewalls Aleph One (Feb 07)
    - Re: IPsec and firewalls carson (Feb 09)
    - Re: IPsec and firewalls Aleph One (Feb 09)
    - Re: IPsec and firewalls carson (Feb 09)
    - Re: IPsec and firewalls Adam Shostack (Feb 09)
    - Re: IPsec and firewalls carson (Feb 09)
    - Effect of full disk on logging under FW-1 v 2.1? Bret Watson (Feb 09)
    - Re: IPsec and firewalls Ted Doty (Feb 09)
    - Re: encapsulated protocols? Aleph One (Feb 07)

(Thread continues...)