Re: Protecting publicly reacheable servers (e.g. HTTP)?

["Stephane Nasdrovisky" <stephane.nasdrovisky () uniway be>]

A belgian company, ubizen.com, released a product that could fit some of 
the requirements for a good application level firewall. The product is 
called dmz-shield.

Has anybody tryed it ?

----- Original Message -----
From: Yehavi Bourvine +972-2-6585684 <YEHAVI () vms HUJI AC IL>
Date: Sunday, November 25, 2001 4:53 pm
Subject: Re: [fw-wiz] Protecting publicly reacheable servers (e.g. 
HTTP)?

> "Patrick M. Hausen" <hausen () punkt de> said:
>
> > My reasoning has always been that - given the state of
> > firewall products today - a static packet filter that
> > blocks all but port 80 would be the most appropriate
> > solution to offer some sort of protection to the server
> > machine.
>
> I also think so, but this is only *in addition* to making the HTTP 
> serversecure and up-to-dated. I think that there is a place for an 
> application aware
> firewall which filters the incoming HTTP requests, but I didn't 
> see so far such
> a beast (or at least a general-purpose one, and not ad-hoc 
> solutions like
> Cisco's level-7 access lists).
>
> > Anyway, all competitors offered the customer elaborate and
> > expensive setups consisting of at least two redundant firewall
> > boxes, two switches, and those nice looking drawings with
> > a lot of crossing lines that give managers the warm fuzzy
> > impression of "redundancy" and "fail safety".
> > Probably most of them are offering Nokia or PIX, but we weren't
> > given that much detail. ;-)
>
> You should differentiate between the "security" part of the offer 
> and the "high
> availability" part.
>
> > So  basically, I have two questions to you all:
> >
> > 1. Do you aggree with me wrt to the firewall vs. packet filter 
> topic?
> Yes.
>
> >    What's the intention of all these companies offering more 
> complicated>    setups?
>
> High availability.
>
> > 2. In the last couple of years a new type of device coined 
> "layer 4 switch"
> >    appeared and these things seem to have reached a certain 
> level of
> >    maturity and market penetration. I'm talking about load balancing
> >    devices like e.g. Big IP.
> >
> >    Since these things actually look inside the HTTP requests to 
> provide>    (at least they claim to provide) session and cookie 
> persistence and
> >    similar stuff when distributing the requests to a farm of servers
> >    - what do you think these boxes add to the security of the web
> >    servers they "load balance"? Some claim to protect against 
> certain>    types of DoS attacks, too.
>
> They protect against DoS attack since they spread the load. They 
> are intended
> for speed and high availability/load, not for security...
>
>                                                         __Yehavi:
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards