Firewall Wizards mailing list archives

Re: Protecting publicly reacheable servers (e.g. HTTP)?

From: Yehavi Bourvine +972-2-6585684 <YEHAVI () vms HUJI AC IL>
Date: Sat, 24 Nov 2001 8:58 +0200

"Patrick M. Hausen" <hausen () punkt de> said:

My reasoning has always been that - given the state of
firewall products today - a static packet filter that
blocks all but port 80 would be the most appropriate
solution to offer some sort of protection to the server
machine.


I also think so, but this is only *in addition* to making the HTTP server
secure and up-to-dated. I think that there is a place for an application aware
firewall which filters the incoming HTTP requests, but I didn't see so far such
a beast (or at least a general-purpose one, and not ad-hoc solutions like
Cisco's level-7 access lists).

Anyway, all competitors offered the customer elaborate and
expensive setups consisting of at least two redundant firewall
boxes, two switches, and those nice looking drawings with
a lot of crossing lines that give managers the warm fuzzy
impression of "redundancy" and "fail safety".
Probably most of them are offering Nokia or PIX, but we weren't
given that much detail. ;-)


You should differentiate between the "security" part of the offer and the "high
availability" part.

So  basically, I have two questions to you all:

1. Do you aggree with me wrt to the firewall vs. packet filter topic?


Yes.

   What's the intention of all these companies offering more complicated
   setups?


High availability.

2. In the last couple of years a new type of device coined "layer 4 switch"
   appeared and these things seem to have reached a certain level of
   maturity and market penetration. I'm talking about load balancing
   devices like e.g. Big IP.

   Since these things actually look inside the HTTP requests to provide
   (at least they claim to provide) session and cookie persistence and
   similar stuff when distributing the requests to a farm of servers
   - what do you think these boxes add to the security of the web
   servers they "load balance"? Some claim to protect against certain
   types of DoS attacks, too.


They protect against DoS attack since they spread the load. They are intended
for speed and high availability/load, not for security...

                                                         __Yehavi:
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

Protecting publicly reacheable servers (e.g. HTTP)? Patrick M. Hausen (Nov 23)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? ark (Nov 25)
  - Re: Protecting publicly reacheable servers (e.g. HTTP)? Emmanuel Adeline (Nov 25)
  - Re: Protecting publicly reacheable servers (e.g. HTTP)? Marcus J. Ranum (Nov 25)
    - Re: Protecting publicly reacheable servers (e.g. HTTP)? Adam Shostack (Nov 26)
    - Re: Protecting publicly reacheable servers (e.g. HTTP)? Stephen P. Berry (Nov 27)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Predrag Zivic (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Frederick M Avolio (Nov 25)
- RE: Protecting publicly reacheable servers (e.g. HTTP)? Jason Lewis (Nov 27)
- <Possible follow-ups>
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Steven M. Bellovin (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Yehavi Bourvine +972-2-6585684 (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Stephane Nasdrovisky (Nov 25)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? ark (Nov 26)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? TDyson (Nov 26)
- Re: Protecting publicly reacheable servers (e.g. HTTP)? Steven M. Bellovin (Nov 26)