Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from agetchel () kde state ky us, sie wrote:
> > Why can't it?  Or more to the point, why shouldn't it?
> >
> > Isn't that what's it's there to do - protect web servers, etc?
> >
> > If it can't provide protection from people defacing web servers
> > then what's the point of having it in the first place?  Why should
> > I pay $10k for a firewall if it can't protect my web server from
> > hackers?
>
>       The point of having a traditional layer-3/layer-4 firewall is to
> protect from _certain kinds_ of attacks, like I said before, from direct
> access attempts to the server itself.  You shouldn't have the expectation
> that a standard 'stateful inspection' or 'packet filtering' firewall would
> protect you from layer-7 exploits.

You seem to have made a whole bunch of assumptions about what I was
talking about when I said "firewall" and in essence, none of them are
true.  I never said anything about 'stateful inspection' or 'packet
filtering'.

A firewall is a firewall, be that what it is.
You buy it to protect your network and servers from hackers.

If it can't protect your web server from hackers then what sort of
protection is it really providing you?

> Like I said before, if you want layer-7 security, look at an application
> proxy.

Actually, you didn't say it before (or at least not in any email I've read).

> Why _shouldn't_ layer-3/layer-4 firewalls provide layer-7 security?

That's not the question I asked.  I asked why shouldn't firewalls protect
web servers.  Stop cheating.  To quote you from an earlier email:
[...]
> > >       Apples and oranges.  Of course a firewall can't keep someone
> > > from defacing a web server which it's protecting, they work at a
> > > lower layer and don't care if that HTTP packet which just entered
> > > it's external interface contains a buffer overflow attack.
[...]

Or are you willing to withdraw that comment about firewalls only being
low-level devices? :-)

> > That's one role.  But the fail when you start tunnelling one 
> > service inside
> > another.  This is what you can do with SSH, SOAP, etc.
>
>       Correct.  Like I said before, if you want layer-7 security, look at
> something which can inspect the payload of the packet itself to verify the
> integrity of the data being sent and received.  Application proxies do a
> wonderful job at this.

You can't proxy ssh or at least I wouldn't accept an ssh connection that
was proxied :)

> > > They are an _access control_ device
> >
> > That's another role.
>
>       Access control is the _primary_ role of a layer-3/layer-4 firewall
> in most cases.

This is one instance where you should have left the "layer-3/layer-4" out.

> > That's a separate problem.
>
>       No, that's _the_ problem you are trying to solve that you state a
> layer-3/layer-4 firewall can't do the job, and you're correct.

I didn't state that it couldn't do the job - you did.
I asked this:

> > Why can't it?  Or more to the point, why shouldn't it?

(You should really try reading what people write in emails, not what you
 think has been written.)

> That's why there are application proxies.

No it isn't.

> They provide layer-7 security which protect
> against most all of the typical techniques used for defacing web sites.

Oh really?  That's news to me :)  If I install Gauntlet, it will magically
protect my web server from defacing - hmmm, I'd like to see that :)  I'm
sure the NAI folk could sell it well if it were true too :)

> If
> you want both layer-3/layer-4 security AND layer-7 security, use both tpyes
> of devices.

Or one with both as part of its capabilities.

>       What I'm trying to say here is that there's no _one_ security device
> that solves every problem and therefore no _one_ security device that is
> 100% guaranteed to protect servers from exploits.. This is why we have
> stateful inspection firewalls AND application proxies.  Why doesn't one
> product provide functionality at all layers?  Performance is a good reason.
> Providing security at layer-7 is slow, typically, and not appropriate for
> all scenarios.

Sure.

> > Who said a firewall had to be only a layer-3/layer-4 device ?
> >
> > What do you think a proxy firewall does, hmm?
>
>       I know what an application proxy, or 'proxy firewall' as you say it,
> is.  It provides layer-7 security like I stated above many times.  I never
> said a firewall had too only be a layer-3/layer-4 device, like you said,

In your previous email, discussing firewalls and what they could do, you
made this remark:

> > >       Bottom line, don't try and solve a layer-7 problem with a
> > > layer-3/layer-4 device.

I don't remember this distinction being made prior to your remarks.

> because we have application proxies which _are_ a type of firewall.  Perhaps
> we should try and define 'firewall'... =)

You are familiar with the firewall toolkit, are you not ?
What about SOCKS ?

Why do I feel like I'm teaching firewalls-101 here?

Or did the media redefine firewall to only mean packet filters while
we weren't watching ?  They already stole "hacker"...

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards