Re: Re: Air Gaps vs. Firewalls

["Chuck Swiger" <chuck () codefab com>]

On Tue, 03 Oct 2000 15:50:58 -0500, Rick Smith wrote:
> This is a surprise to me. Do web site developers really work with specs
> that would clearly define the possible values flowing through a URL?
> Is this common anywhere except perhaps the most sophisticated sites?

Some of us do, but no, it's not common.

> Even if one has such specs, wouldn't it make more sense to use those
> specs to automatically generate range and type checking code at
> the server end?

Agreed-- validation of FORM data and the like should be handled by the web  
application itself.  To a large extent, what constitutes "legitimate" and  
"illegitimate" data depends on information which a firewall should not touch  
or be aware of.

For example, imagine an online store, where pricing for items is held in a  
database.  Lets say that items may not be in stock yet, so the web app needs  
to know to not offer those items for sale.  How would a firewall determine  
that a particular item number in an URL is available or not, short of  
querying the database itself?

-Chuck

           Chuck Swiger | chuck () codefab com | Spin VBHY?
           -------------+-------------------+-----------
           "Diplomacy is the art of saying 'Nice doggy',
            while searching for a rock."  -- Talleyrand


_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards