Firewall Wizards mailing list archives
Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe)
From: Balazs Scheidler <bazsi () balabit hu>
Date: Sat, 11 Aug 2001 14:13:09 +0200
On Wed, Aug 08, 2001 at 09:44:42AM +1000, Darren Reed wrote:
In some email I received from Joseph Steinberg, sie wrote: So you're saying every piece of software that interacts with another via the network is to be filtered through an application proxy/tool ? I find that unacceptable. How the heck do we know that this filter isn't buggy ? Where are the gaurantees for it saying it has no buffer overflows ? Simply deploying more layers between two parties does NOT fix the problem, just attempts to hide it. The problem here is quality of software (or lack thereof) and the ability of vendors to legally provide/sell bugware.
Firewalls (I mean both packet filtering and applevel gateways) wouldn't be needed _iff_ every host (workstation, server ...) would be a perfect and secure entity on its own. Given you have thousands of hosts to protect, possibly running different software, you probably have several vulnerabilities. Deploying the firewall which _understands_ and verifies every bits of transmitted transactions _may_ offer a solution without all your protected hosts being perfect. A firewall is a single entity to maintain, or to audit, and a single point where security problems can be solved for a lot of hosts. Of course it's therefore a single point of failure as well. You said firewalls themselves can have bugs as well, this is true, this problem can be remedied (but not solved) by using two different firewalls, possibly both parsing the application protocol. The latest CodeRedII worms can easily be filtered without signatures in IDS systems: it violates the HTTP protocol, the URL it sends contains an invalid character sequence ('%' must be followed by either another '%' or exactly two hexadecimal digits), thus a good application gateway can protect against it. I'm not saying that every buffer overflow can be caught by app level gateways, but chances are that they catch more of them than simple packet filters. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1 _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Adam Shostack (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Darren Reed (Aug 07)
- Re: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Balazs Scheidler (Aug 11)
- <Possible follow-ups>
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Joseph Steinberg (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 07)
- RE: Re: Code Red: What security specialist don't mention in warnings(Frank Knobbe) Scott, Richard (Aug 10)