Firewall Wizards mailing list archives
RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY
From: agetchel () kde state ky us
Date: Tue, 20 Feb 2001 16:33:02 -0500
Apples and oranges. Of course a firewall can't keep someone from defacing a web server which it's protecting, they work at a lower layer and don't care if that HTTP packet which just entered it's external interface contains a buffer overflow attack. The firewall is there too keep people from telneting, SSHing, or establishing a NetBIOS session with the server and gaining direct access. They are an _access control_ device. To address security problems at a higher layer, and protect against the above mentioned web site defacements, you need to think about patching your boxes and using a reverse application proxy that can detect attacks which may be used in the defacement process (such as Unicode attacks or, like I mentioned above, buffer overflow attacks). _Any box_ which can be accessed over a network can be broken into, the security devices used to protect that box just make it for the intruder. Firewalls do a _very good_ job of that. Bottom line, don't try and solve a layer-7 problem with a layer-3/layer-4 device. Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education Voice 502-564-2020x225 E-mail agetchel () kde state ky us Web http://www.kde.state.ky.us/
-----Original Message----- From: Darren Reed [mailto:darrenr () reed wattle id au] Sent: Tuesday, February 20, 2001 2:16 PM To: agetchel () kde state ky us Cc: firewall-wizards () nfr net Subject: Re: [fw-wiz] Next Generation Security Architecture In some email I received from agetchel () kde state ky us, sie wrote: [Charset iso-8859-1 unsupported, filtering to ASCII...]By putting all of that behind us and taking a fresh new look at security, at this Firewall technology that is well past its sell by date, a next generation architecture can be developed that will get the enterprise where it needs to go, in order to be agile and competitive in the network economy.I agree that it's time to take a fresh look at securityarchitecturetechnology and start looking where the future of electronicsecurity willlead us, but give credit where credit is due. The 'dated' firewall technology is still widely used because it is an aged,proven, and reliableway of doing things that's very versatile and affordable.In the securityworld, as you well know, sometimes that's exactly what thedoctor ordered. Excuse me ? How reliable is it if defacing of web sites (protected by firewalls) is still a regular occurance ? With new technology like SOAP, people are slowly making a joke out of firewalls. Darren
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY agetchel (Feb 20)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Darren Reed (Feb 20)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Ng Pheng Siong (Feb 21)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Robert Collins (Feb 25)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Ng Pheng Siong (Feb 26)
- Reversise Proxies? (was Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY) Robert Collins (Feb 26)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Robert Collins (Feb 25)
- <Possible follow-ups>
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Bill_Royds (Feb 21)
- RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY MONTENEGRO,FERNANDO (HP-Canada,ex1) (Feb 26)