Firewall Wizards mailing list archives
Re: How to Save The World (was: Antivirus vendor conspiracy theories)
From: "Paul D. Robertson" <paul () compuwar net>
Date: Sat, 11 Dec 2004 21:17:28 -0500 (EST)
On Wed, 8 Dec 2004, Devdas Bhagat wrote:
We need to publish a book of rants ;).In all seriousness, I have often thought it would be cool to have a 'best-of' compilation from the archives. It would just be a freaking nightmare for someone to read it all and pick 'em, sadly.
I've been considering a book idea, or just incorporating more practical matter into the Firewall FAQ- unfortunately, those I've attempted to rope into helping with the FAQ seem to have slipped the ropes..
Well, that sounds like a call for volunteers. Editorial nominations please? Or maybe the ex and current moderators get nominated as editors (if they are willing) and we can send the best threads, rants and quotes of our choice to them for filtering and compiling.
I'm willing to consider being volunteered.
This should give some interesting results, given the level of clue on this list.
Indeed.
In context, is http easy to proxy securely? AFAIK, HTTP is a major offender because the protocol does not specify limits for a lot of operations but leaves them implementation and configuration dependent.
It's worse, it specifies no limits in a few places AFAIR.
So, are there any good stateful inspection engines which can analyse data streams, and stop attacks? Including the capability to decode encoded (as opposed to encrypted) traffic on the fly? Can I poke at an email stream and figure out that this HTMLised base64 encoded mail with inline attachment is spam/a virus, but this other thing is not? And then break the communication without having it time out or get interrupted (which is responded to by resending the mail again)? And what happens with UTF8 data streams?
Hehehe...
There are two reasons why I like "Deep Inspectotron Application Fireweasels (DIAF)" better than true proxies. 1. You don't have to implement the whole damn thing, which leaves you more time to get to grips with filtering out badstuff. This is the key reason DIAF != "Proxy But Different"IMHO, it is better to filter out the good stuff and pass it through. Defaulting to a state of denial is a good thing.2. You can do it way, way faster with little effort. It's very amenable to turning into circuits. Lots of people probably see 1. above as a negative, not a positive, and I used to think that way as well. However, I do not believe that it is possible to implement the same kind of strict proxy that we used to be able to do with, say, SMTP or FTP. Given that vendors don't/won't/can't do that, they make cop-out proxies for the tricky protocols, which basically just take attack traffic and add 150ms latency. Like Gauntlet. (I can tease them now they're dead ;) Rather than do that, why _not_ pull out known bad stuff based on generic "you probably don't want that much data in this header", or "I doubt this mail address is meant to contain a 300K uuencoded attack payload" type rules.I think that it is much more about the default stance that is associated with each product. A proxy firewall implies a default deny stance (plug-gw excepted). A DIAF tends to make me think of a default allow
Plug-gw is why I prefer the term "application layer gateway"- since plug-gw is really a transport layer proxy, and it should be differentiated (well, I still think the thing should have been killed before release.)
stance. If a strict proxy is not available, perhaps those protocols should not be used on the open internet? There are tunneling technologies available which can make the use of those protocols reasonably safe.Now I don't use DIAFs, we don't sell 'em, I have no vested interest, I just think it's slighter nicer to have a DIAF than a plain ol' boring FW, PROVIDED that it doesn't use IDS style signatures. I do not, however, think that a DIAF goes any significant way to obviating the need for defence in depth and host protection, as some marketeers will try to claim. It's more like version upgrading your firewall than implementing a 'new' technology.Right. And at that point, I will raise the question of what a DIAF is worth if it takes a significant effort to maintain but gives low returns.
Paul Ranter-in-Chief ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Antivirus vendor conspiracy theories Ames, Neil (Dec 02)
- Message not available
- RE: Antivirus vendor conspiracy theories Mark Teicher (Dec 05)
- Message not available
- <Possible follow-ups>
- Re: Antivirus vendor conspiracy theories Danny (Dec 05)
- Re: Antivirus vendor conspiracy theories Devdas Bhagat (Dec 05)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Ben Nagy (Dec 07)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Devdas Bhagat (Dec 07)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Ben Nagy (Dec 11)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Devdas Bhagat (Dec 11)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Paul D. Robertson (Dec 12)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Marcus J. Ranum (Dec 12)
- Book of rants (was Re: How to Save The World (was: Antivirus vendor conspiracy theories)) Devdas Bhagat (Dec 12)
- Re: Book of rants Jason Lewis (Dec 12)
- Re: Re: Book of rants Devdas Bhagat (Dec 12)
- Re: Re: Book of rants Christopher Hicks (Dec 12)
- Archives (was Re: Re: Book of rants) Devdas Bhagat (Dec 12)
- Re: Archives (was Re: Re: Book of rants) Jason Lewis (Dec 12)
- Re: Archives (was Re: Re: Book of rants) Paul D. Robertson (Dec 13)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Ben Nagy (Dec 07)
- RE: How to Save The World (was: Antivirus vendor conspiracy theories) Marcus J. Ranum (Dec 12)
- Re: How to Save The World (was: Antivirus vendor conspiracy theories) Adam Shostack (Dec 12)