RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY

[agetchel () kde state ky us]

        Apples and oranges.  Of course a firewall can't keep someone from
defacing a web server which it's protecting, they work at a lower layer and
don't care if that HTTP packet which just entered it's external interface
contains a buffer overflow attack.  The firewall is there too keep people
from telneting, SSHing, or establishing a NetBIOS session with the server
and gaining direct access.  They are an _access control_ device.  To address
security problems at a higher layer, and protect against the above mentioned
web site defacements, you need to think about patching your boxes and using
a reverse application proxy that can detect attacks which may be used in the
defacement process (such as Unicode attacks or, like I mentioned above,
buffer overflow attacks).  _Any box_ which can be accessed over a network
can be broken into, the security devices used to protect that box just make
it for the intruder.  Firewalls do a  _very good_ job of that.

        Bottom line, don't try and solve a layer-7 problem with a
layer-3/layer-4 device.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel () kde state ky us
Web     http://www.kde.state.ky.us/



> -----Original Message-----
> From: Darren Reed [mailto:darrenr () reed wattle id au]
> Sent: Tuesday, February 20, 2001 2:16 PM
> To: agetchel () kde state ky us
> Cc: firewall-wizards () nfr net
> Subject: Re: [fw-wiz] Next Generation Security Architecture
>
>
> In some email I received from agetchel () kde state ky us, sie wrote:
> [Charset iso-8859-1 unsupported, filtering to ASCII...]
> > > By putting all of that behind us and taking a fresh new look
> > > at security, at this Firewall technology that is well past 
> > > its sell by date, a next generation architecture can be
> > > developed that will get the enterprise where it needs to go,
> > > in order to be agile and competitive in the network economy.
> >
> >     I agree that it's time to take a fresh look at security 
> architecture
> > technology and start looking where the future of electronic 
> security will
> > lead us, but give credit where credit is due.  The 'dated' firewall
> > technology is still widely used because it is an aged, 
> proven, and reliable
> > way of doing things that's very versatile and affordable.  
> In the security
> > world, as you well know, sometimes that's exactly what the 
> doctor ordered.
>
> Excuse me ?
>
> How reliable is it if defacing of web sites (protected by firewalls)
> is still a regular occurance ?
>
> With new technology like SOAP, people are slowly making a joke out
> of firewalls.
>
> Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards