Firewall Wizards mailing list archives

Re: How automate firewall tests

From: Tim Shea <tim () tshea net>
Date: Mon, 21 Aug 2006 00:13:22 -0500


And you can equally argue that proxies were never good to begin  
with.  Really - the majority of applications out there have no real  
layer 7 level proxy so you have to tackle the problem from other  
directions.  And the off the shell proxies (smtp, dns, http, etc)  
don't offer much value since these applications have been tested to  
death or the application isn't anymore "protected".  What is the  
point of recommending a solution that doesn't exist?  I am a fan of  
proxies but the reality is the firewall - whether it be proxy or  
other - is only a small part of the equation.

t.s

On Aug 20, 2006, at 10:35 PM, Marcus J. Ranum wrote:

Isaac Van Name wrote:

You have referred to packet-based
firewalls as being outdated.


I'm not sure if they're "outdated" as much as "never were  
particularly good
to begin with"

Remember: popularity is not a reliable gauge of quality. The fact  
that most
of the firewalls that are fielded today are packet-based (with a  
smidgeon of
state-tracking thrown in) should concern anyone, when the vast  
majority
of attacks currently being fielded are above the packet layer. If  
you want to
look at things from my (admittedly weird) perspective, the current  
fondness
for "patch your software constantly" is proof positive that packet- 
based
firewalls don't (and never did) work except for at a very gross level.

The architecture of a "good firewall" would be some kind of layer-7
processor that did application protocol correctness verification and
minimization, as well as come content analysis and filtering. Of  
course
it'd have to do it extremely fast, or nobody'd want it. Which is  
why it
doesn't exist. To get that much layer-7 processing done at high speeds
you'd need silicon, and since silicon isn't particularly mutable  
(not the
fast kind, anyhow) you'd be constantly bumping against application
incompatibilities and that wouldn't sit well.

I guess what I'm saying is "hardly anyone actually WANTS a good  
firewall."

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

How automate firewall tests Strabla Ruggero (Aug 17)
- Re: How automate firewall tests Marcus J. Ranum (Aug 17)
  - Re: How automate firewall tests Durga Prasad (Aug 18)
    - Re: How automate firewall tests Marcus J. Ranum (Aug 18)
    - Re: How automate firewall tests Isaac Van Name (Aug 20)
    - Re: How automate firewall tests Marcus J. Ranum (Aug 20)
    - Re: How automate firewall tests Tim Shea (Aug 21)
    - Re: How automate firewall tests Paul D. Robertson (Aug 21)
    - Re: How automate firewall tests ArkanoiD (Aug 21)
    - Re: How automate firewall tests Marcus J. Ranum (Aug 21)
    - Re: How automate firewall tests Chris Blask (Aug 22)
    - Re: How automate firewall tests Patrick M. Hausen (Aug 22)
    - Re: How automate firewall tests Chris Blask (Aug 23)
    - Re: How automate firewall tests Crispin Cowan (Aug 28)
    - Re: How automate firewall tests Marcus J. Ranum (Aug 28)
    - Re: How automate firewall tests Marcus J. Ranum (Aug 28)
    - Re: How automate firewall tests Cat Okita (Aug 29)

(Thread continues...)