Firewall Wizards mailing list archives
Re: IPS (was: Sources for Extranet Designs?)
From: Paul Robertson <proberts () patriot net>
Date: Fri, 27 Feb 2004 13:08:29 -0500 (EST)
On Thu, 26 Feb 2004, Gary Flynn wrote:
It's no wonder proponents are touting universities (apologies to the .edu admins on this list who've overcome those battles the hard way)- where the prove it bad mentality has had it's best survival rate.Hmmm, it sounds like you're assuming that universities have or had a default deny rule. :)
No, the opposite- "prove it's bad and we'll block it" seems to prevail in academia.
As I mentioned in my previous response, we're basically a broadband ISP provider to 70-80% of the computers on our network - student home computers. While a default deny rule might be a good corporate strategy with limited and well-defined communications needs, it doesn't play well to the average home user...whether their Internet connection is provided by a university network or a commercial broadband home connection. I get complaints because I make games slow or unusable. :(
Only because so many people have gone to the "prove it's bad" setting, otherwise, we'd have application designers doing the right thing protocol-wise.
And yeah, we could certainly do more in that realm in the non-student areas, and yeah, "academic freedom" is often overused as an excuse, but we do have different needs than a less fluid organization.
Which is why universities will continue to be common abuse and seeding targets.
That said, we've had several discussions about how we'd implement a general default deny rule recently. And we do have default deny rules in interior portions of the network.
See, in my mind, that's progress- and the current climate is our (collectively) best opportunity to take back ground.
Now that we've actually gotten back to the point where firewalls are capable of doing application layer decisions, it seems rather silly to toss that back out again and go with yet-another-miracle.On what applications? Certainly not all the ones I see go through our Internet connections.
On any application- technology-wise, we're at a point where firewalls can actively make per-packet and more importantly per-stream decisions- now do we have codified implementations? Not really, but we've got from full on proxies to packet fitlers to things that even if they're packet filters are capable of doing inspection/rejection on higher layer protocols.
Can you write your own inspection rules for the typical firewall?
FW-1 has had that for quite a while- though not at the stream level AFAIK. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: IPS (was: Sources for Extranet Designs?), (continued)
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- Re: IPS Gary Flynn (Feb 26)
- Re: Re: IPS David Thiel (Feb 26)
- Re: Re: IPS Gary Flynn (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Ben Nagy (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Chris Blask (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Marcus J. Ranum (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- Re: IPS (was: Sources for Extranet Designs?) Gary Flynn (Feb 27)
- Re: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 27)
- RE: IPS (was: Sources for Extranet Designs?) Paul Robertson (Feb 26)
- RE: IPS (was: Sources for Extranet Designs?) Christopher Lee (Feb 27)
- Re: IPS (was: Sources for Extranet Designs?) Gary Flynn (Feb 29)