Firewall Wizards mailing list archives
RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY
From: agetchel () kde state ky us
Date: Wed, 21 Feb 2001 02:46:29 -0500
Why can't it? Or more to the point, why shouldn't it? Isn't that what's it's there to do - protect web servers, etc? If it can't provide protection from people defacing web servers then what's the point of having it in the first place? Why should I pay $10k for a firewall if it can't protect my web server from hackers?
The point of having a traditional layer-3/layer-4 firewall is to protect from _certain kinds_ of attacks, like I said before, from direct access attempts to the server itself. You shouldn't have the expectation that a standard 'stateful inspection' or 'packet filtering' firewall would protect you from layer-7 exploits. If you believe that, then your firewall software vendor's sales folks are doing a really good job of selling their product. =) For example, our layer-3/layer-4 firewall can't provide layer-7 security (against exploits such as buffer overflows or Unicode attacks) to our ten server proxy cluster, but it blocks over a hundred access attempts per day from people try to establish a NetBIOS session with them. Like I said before, if you want layer-7 security, look at an application proxy. Why _shouldn't_ layer-3/layer-4 firewalls provide layer-7 security? Why shouldn't my steel-toe boots protect my head should I fall down and hit it on a table? Because that's not that they're there for.
That's one role. But the fail when you start tunnelling one service inside another. This is what you can do with SSH, SOAP, etc.
Correct. Like I said before, if you want layer-7 security, look at something which can inspect the payload of the packet itself to verify the integrity of the data being sent and received. Application proxies do a wonderful job at this.
That's another role.
Access control is the _primary_ role of a layer-3/layer-4 firewall in most cases.
That's a separate problem.
No, that's _the_ problem you are trying to solve that you state a layer-3/layer-4 firewall can't do the job, and you're correct. That's why there are application proxies. They provide layer-7 security which protect against most all of the typical techniques used for defacing web sites. If you want both layer-3/layer-4 security AND layer-7 security, use both tpyes of devices.
I beg to differ about that. Although I'm having some parsing problems with the latter part of that sentence.
What I'm trying to say here is that there's no _one_ security device that solves every problem and therefore no _one_ security device that is 100% guaranteed to protect servers from exploits. This is why we have stateful inspection firewalls AND application proxies. Why doesn't one product provide functionality at all layers? Performance is a good reason. Providing security at layer-7 is slow, typically, and not appropriate for all scenarios.
Who said a firewall had to be only a layer-3/layer-4 device ? What do you think a proxy firewall does, hmm?
I know what an application proxy, or 'proxy firewall' as you say it, is. It provides layer-7 security like I stated above many times. I never said a firewall had too only be a layer-3/layer-4 device, like you said, because we have application proxies which _are_ a type of firewall. Perhaps we should try and define 'firewall'... =) Thanks, Abe Abe L. Getchell - Security Engineer Division of System Support Services Kentucky Department of Education Voice 502-564-2020x225 E-mail agetchel () kde state ky us Web http://www.kde.state.ky.us/ _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY agetchel (Feb 21)
- Re: Next Generation Security Architecture - TO MODERATOR - CORRECTED COPY Darren Reed (Feb 21)