Firewall Wizards mailing list archives
Re: Firewall RISKS
From: "Paul D. Robertson" <proberts () clark net>
Date: Thu, 3 Jun 1999 08:13:22 -0400 (EDT)
On Tue, 1 Jun 1999, Robert Graham wrote:
I just posted this e-mail to the RISKS list, but I thought I'd copy it here, too.
A minor point:
Explanation: Firewall technology is based on "port filters". The
Not all firewalls are packet filtering firewalls.
average web server has many ports open for a variety of reasons, but needs only port 80 in order to serve web pages. However, ColdFusion runs as part of the web server reachable at port 80. QED, placing a firewall in front of web server provides no protection against the ColdFusion hack.
In the case of a firewall that has the ability to examine the HTTP method, the PUT method could be disabled from a range of pages. IMNSHO, that should be done at the Web server level anyway and "firewalls" beyond screening routers are fairly moot for public-access machines - host security wins every time. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () clark net which may have no basis whatsoever in fact." PSB#9280
Current thread:
- Firewall RISKS Robert Graham (Jun 03)
- Re: Firewall RISKS Paul D. Robertson (Jun 03)
- Re: Firewall RISKS Adam Shostack (Jun 03)
- <Possible follow-ups>
- Re: Firewall RISKS Andrew Gilbert (Jun 03)
- Re: Firewall RISKS MIKE SHAW (Jun 03)
- Re: Firewall RISKS Stephen P. Berry (Jun 04)
- Re: Firewall RISKS Lance Spitzner (Jun 04)
- Transfering off-system firewall audit trails Steven W. Engle (Jun 14)
- Re: Transfering off-system firewall audit trails Lance Spitzner (Jun 15)
- Re: Transfering off-system firewall audit trails Christoph Schneeberger (Jun 16)
- Re: Transfering off-system firewall audit trails Richard Rees (Jun 15)
- Re: Firewall RISKS Stephen P. Berry (Jun 04)
- eSafe Protect desktop experince Mark Lemmo (Jun 14)