Re: How to Save The World (was: Antivirus vendor conspiracy theories)

["Paul D. Robertson" <paul () compuwar net>]

On Wed, 8 Dec 2004, Devdas Bhagat wrote:

> > > We need to publish a book of rants ;).
> >
> > In all seriousness, I have often thought it would be cool to have a
> > 'best-of' compilation from the archives. It would just be a freaking
> > nightmare for someone to read it all and pick 'em, sadly.

I've been considering a book idea, or just incorporating more practical
matter into the Firewall FAQ- unfortunately, those I've attempted to rope
into helping with the FAQ seem to have slipped the ropes..

> Well, that sounds like a call for volunteers. Editorial nominations
> please? Or maybe the ex and current moderators get nominated as editors
> (if they are willing) and we can send the best threads, rants and quotes
> of our choice to them for filtering and compiling.

I'm willing to consider being volunteered.

> This should give some interesting results, given the level of clue on
> this list.

Indeed.

> In context, is http easy to proxy securely? AFAIK, HTTP is a major
> offender because the protocol does not specify limits for a lot of
> operations but leaves them implementation and configuration dependent.

It's worse, it specifies no limits in a few places AFAIR.

> So, are there any good stateful inspection engines which can analyse
> data streams, and stop attacks? Including the capability to decode
> encoded (as opposed to encrypted) traffic on the fly? Can I poke at an
> email stream and figure out that this HTMLised base64 encoded mail with
> inline attachment is spam/a virus, but this other thing is not? And then
> break the communication without having it time out or get interrupted
> (which is responded to by resending the mail again)? And what happens
> with UTF8 data streams?

Hehehe...

> > There are two reasons why I like "Deep Inspectotron Application Fireweasels
> > (DIAF)" better than true proxies.
> >
> > 1. You don't have to implement the whole damn thing, which leaves you more
> > time to get to grips with filtering out badstuff. This is the key reason
> > DIAF != "Proxy But Different"
>
> IMHO, it is better to filter out the good stuff and pass it through.
> Defaulting to a state of denial is a good thing.
>
> > 2. You can do it way, way faster with little effort. It's very amenable to
> > turning into circuits.
> >
> > Lots of people probably see 1. above as a negative, not a positive, and I
> > used to think that way as well. However, I do not believe that it is
> > possible to implement the same kind of strict proxy that we used to be able
> > to do with, say, SMTP or FTP. Given that vendors don't/won't/can't do that,
> > they make cop-out proxies for the tricky protocols, which basically just
> > take attack traffic and add 150ms latency. Like Gauntlet. (I can tease them
> > now they're dead ;) Rather than do that, why _not_ pull out known bad stuff
> > based on generic "you probably don't want that much data in this header", or
> > "I doubt this mail address is meant to contain a 300K uuencoded attack
> > payload" type rules.
>
> I think that it is much more about the default stance that is associated
> with each product. A proxy firewall implies a default deny stance
> (plug-gw excepted). A DIAF tends to make me think of a default allow

Plug-gw is why I prefer the term "application layer gateway"- since
plug-gw is really a transport layer proxy, and it should be differentiated
(well, I still think the thing should have been killed before release.)

> stance. If a strict proxy is not available, perhaps those protocols
> should not be used on the open internet? There are tunneling
> technologies available which can make the use of those protocols
> reasonably safe.
>
> > Now I don't use DIAFs, we don't sell 'em, I have no vested interest, I just
> > think it's slighter nicer to have a DIAF than a plain ol' boring FW,
> > PROVIDED that it doesn't use IDS style signatures. I do not, however, think
> > that a DIAF goes any significant way to obviating the need for defence in
> > depth and host protection, as some marketeers will try to claim. It's more
> > like version upgrading your firewall than implementing a 'new' technology.
> Right. And at that point, I will raise the question of what a DIAF is
> worth if it takes a significant effort to maintain but gives low
> returns.

Paul
Ranter-in-Chief
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards