Re: VM system for firewall use

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 12 Oct 2004, ArkanoiD wrote:

> > 1.  The filter gets all data anyway, so all data going through the proxy
> > is immediately subject to compromise (i.e. the filter can pass back
> > *anything* to compromise an internal machine (say send the next IE browser
> > a GDI exploit?) and the internal systems talk to the proxy.
>
> No, the proxy is not at all that dumb to get data from the filter back and
> to use it blindly. Its iterface to filter is restricted;
> filter may be not allowed to modify content at all - just instruct proxy with
> simple actions.
>
> That's a design issue i should keep in mind.

That's a good design- hopefully the marketing folks that are driving the
changes don't "need" the filtering product to pass back
this-is-why-we-blocked-you HTML, which seems to be the typical chance for
the filtering product manufacturers to get their "brand" in front of the
Web browser, or to make the filter a stand-alone product.

It still amazes me when folks writing security software *design* it well-
I've become very jaded over the years.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards