Firewall Wizards mailing list archives

RE: Firewalls Compared

From: "Stiennon,Richard" <Richard.Stiennon () gartner com>
Date: Mon, 28 Jun 2004 23:52:21 -0400

Am I the only one that sees a huge difference between an application proxy (ala the good old days of server based 
firewalls) and filters that are applied to payloads (ala Network Intrusion Prevention) by inline network devices? 

Let's keep in mind that stateful inspection firewalls are GREAT security devices. They protect over 80% of enterprise 
networks today.  SQL Slammer cannot get through a firewall with port 1443 blocked. Same for MSBlaster, Welchia etc.  

However, worms can come in through infected laptops or third party connections. When they connect directly to the 
corporate LAN you are toast. It turns out IPS is great at blocking worms and it is easier to deploy IPS internally 
because policy setting is simple:  MS Blaster yes/no? 

Worms generally target Microsoft vulnerabilities. Are you going to write application proxies for Exchange? ASN 1? Does 
anyone other than MSFT even know how these applications communicate? Not.  But, you know what the vulnerability looks 
like and could look at traffic and identify malicious activity even without signatures. The future of network security 
is all about inspecting traffic. It is not about application proxies. 

-Richard Stiennon






-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Marcus J.
Ranum
Sent: Monday, June 28, 2004 2:56 PM
To: ark () eltex net; Laura Taylor
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Firewalls Compared


ArkanoiD wrote:

I've found that articles
are written from "packet filter" point of view, paying almost no
attention to application protocol support


With the increasing focus on application layer attacks, the day
of packet-filters even being termed "firewalls" is pretty much over.
Packet filters were barely firewalls to begin with, but today, the
fight's mostly up in Layer 7 where they have no value.

Of course "we told you so" applies. ;)

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

RE: Firewalls Compared, (continued)
- - - RE: Firewalls Compared Laura Taylor (Jun 28)
    - Re: Firewalls Compared Marcus J. Ranum (Jun 28)
    - RE: Firewalls Compared Eugene Kuznetsov (Jun 29)
    - RE: Firewalls Compared Ben Nagy (Jun 30)
    - Re: Firewalls Compared Devdas Bhagat (Jun 30)
    - Re: Firewalls Compared Crispin Cowan (Jun 30)
    - Message not available
    - Re: Firewalls Compared ArkanoiD (Jun 29)
    - Message not available
    - Re: Firewalls Compared Dave Piscitello (Jun 24)
- Re: Firewalls Compared Norman Zhang (Jun 21)
  - RE: Re: Firewalls Compared Christopher Lee (Jun 21)
- RE: Firewalls Compared Stiennon,Richard (Jun 29)
  - RE: Firewalls Compared Ben Nagy (Jun 30)
  - Re: Firewalls Compared Devdas Bhagat (Jun 30)
  - Message not available
    - RE: Firewalls Compared Marcus J. Ranum (Jun 30)
  - RE: Firewalls Compared Jim Seymour (Jun 30)